Cisco UCS Director authentication bypass and command injection

Added: 09/13/2019
CVE: CVE-2019-1937

Background

Cisco UCS Director is a heterogeneous platform for private cloud Infrastructure as a Service (IaaS).

Problem

An authentication bypass vulnerability in the ClientServlet allows unauthenticated users to gain an administrative session. Furthermore, a command injection vulnerability in the SCP User Configuration function allows an administrative user to execute operating system commands. The combination of these two vulnerabilities could allow an unauthenticated attacker to execute arbitrary commands on the system.

Resolution

Upgrade to Cisco IMC Supervisor 2.2.1.0 or later, Cisco UCS Director 6.7.2.0 or later, or Cisco UCS Director Express for Big Data 3.7.2.0 or later.

References

<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-authby&gt;
<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-cmdinj&gt;
<https://seclists.org/fulldisclosure/2019/Aug/36&gt;

Limitations

Exploit works on Cisco UCS Director 6.6.0 and 6.7.0.

Platforms

Linux