Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3212.3 Multiple vulnerabilities in Cisco Integrated Management Controller and Cisco UCS Director 2 September 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Integrated Management Controller Cisco UCS Director Publisher: Cisco Systems Operating System: Cisco Impact/Access: Root Compromise -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-12634 CVE-2019-1937 CVE-2019-1936 CVE-2019-1935 CVE-2019-1908 CVE-2019-1907 CVE-2019-1900 CVE-2019-1896 CVE-2019-1885 CVE-2019-1883 CVE-2019-1871 CVE-2019-1865 CVE-2019-1864 CVE-2019-1863 CVE-2019-1850 CVE-2019-1634 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-usercred https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-ucs-imc-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-cmdinj https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-authby https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-privescal https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-privilege https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-infodisc https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-cmdinj-1850 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-cmdinj-1864 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-cmdinj-1865 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-cmdinject-1634 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-ucs-cimc https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-cmdinject-1896 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-cimc-cli-inject https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-bo Comment: This bulletin contains sixteen (16) Cisco Systems security advisories. Revision History: September 2 2019: Publicly available exploits for CVE-2019-1937, CVE-2019-1936 and CVE-2019-1935 September 2 2019: Announcement of publicly available exploits for CVE-2019-1937, CVE-2019-1936 and CVE-2019-1935 August 22 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Integrated Management Controller Unauthenticated Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-20190821-imc-dos First Published: 2019 August 21 16:00 GMT Version 1.0: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvo36063 CVE-2019-1900 CWE-476 CVSS Score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the web server of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to cause the web server process to crash, causing a denial of service (DoS) condition on an affected system. The vulnerability is due to insufficient validation of user-supplied input on the web interface. An attacker could exploit this vulnerability by submitting a crafted HTTP request to certain endpoints of the affected software. A successful exploit could allow an attacker to cause the web server to crash. Physical access to the device may be required for a restart. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imc-dos Affected Products o Vulnerable Products This vulnerability affects Cisco UCS C-Series and S-Series Servers in standalone mode if they are running a vulnerable release of Cisco IMC Software. For information about fixed software releases, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: UCS E-Series Servers 5000 Series Enterprise Network Compute System FI-Attached servers managed by UCS Manager, including B-Series, C-Series, and S-Series Servers Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to the appropriate Cisco UCS C-Series and S-Series software release as indicated in the following table: Cisco IMC Software Release First Fixed Release 1.4 Not vulnerable 1.5 Not vulnerable 2.0 Not vulnerable 3.0 Not vulnerable 4.0 4.0(2f) Customers can download Cisco IMC Software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Servers - Unified Computing > UCS C-Series Rack-Mount Standalone Server Software . 3. In the right pane, choose the appropriate Cisco UCS C-Series platform. 4. On the Select a Software Type page, click Unified Computing System (UCS) Server Firmware . 5. Access releases by using the left pane of the page. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imc-dos Revision History o +---------+--------------------------+---------+--------+-----------------+ | Version | Description | Section | Status | Date | +---------+--------------------------+---------+--------+-----------------+ | 1.0 | Initial public release. | - | Final | 2019-August-21 | +---------+--------------------------+---------+--------+-----------------+ - ------------------------------------------------------------------------------ Cisco Integrated Management Controller Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data SCP User Default Credentials Vulnerability Priority: Critical Advisory ID: cisco-sa-20190821-imcs-usercred First Published: 2019 August 21 16:00 GMT Last Updated: 2019 August 30 12:38 GMT Version 1.1: Final Workarounds: YesCisco Bug IDs: CSCvp19251 CVE-2019-1935 CWE-798 CVSS Score: 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to log in to the CLI of an affected system by using the SCP User account ( scpuser ), which has default user credentials. The vulnerability is due to the presence of a documented default account with an undocumented default password and incorrect permission settings for that account. Changing the default password for this account is not enforced during the installation of the product. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the scpuser account. This includes full read and write access to the system's database. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imcs-usercred Affected Products o Vulnerable Products This vulnerability affects the following Cisco products: Cisco IMC Supervisor releases: 2.1 2.2.0.0 through 2.2.0.6 Cisco UCS Director releases: 6.0 6.5 6.6.0.0 and 6.6.1.0 6.7.0.0 and 6.7.1.0 Cisco UCS Director Express for Big Data releases: 3.0 3.5 3.6 3.7.0.0 and 3.7.1.0 Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o Setting a custom password for the scpuser account under Administration > Users and Groups > SCP User Configuration will prevent exploitation of this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco fixed this vulnerability in the following software releases: Cisco Integrated Management Controller Supervisor releases 2.2.1.0 and later Cisco UCS Director releases 6.7.2.0 and later (recommended: 6.7.3.0) Cisco UCS Director Express for Big Data releases 3.7.2.0 and later (recommended: 3.7.3.0) Customers can download the Cisco IMC Supervisor software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Choose Servers - Unified Computing > Integrated Management Controller (IMC) Supervisor > IMC Supervisor 2.x . 3. Access releases by using the left pane of the IMC Supervisor 2.x page. Customers can download the Cisco UCS Director software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Choose Servers - Unified Computing > UCS Director > UCS Director 6.7 . 3. Access releases by using the left pane of the UCS Director 6.7 page. Customers can download the Cisco UCS Director Express for Big Data software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Choose Servers - Unified Computing > UCS Director > UCS Director Express for Big Data 3.7 . 3. Access releases by using the left pane of the UCS Director Express for Big Data 3.7 page. Exploitation and Public Announcements o Security researcher Pedro Ribeiro has published details on this vulnerability in his GitHub repository and has also released corresponding Metasploit modules. Source o Cisco would like to thank independent security researcher Pedro Ribeiro for reporting this vulnerability to iDefense's Vulnerability Contributor Program. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imcs-usercred Revision History o +---------+---------------------+---------------+--------+----------------+ | Version | Description | Section | Status | Date | +---------+---------------------+---------------+--------+----------------+ | | Updated the public | | | | | | announcement and | Exploitation | | | | 1.1 | availability of | and Public | Final | 2019-August-30 | | | public exploit | Announcements | | | | | code. | | | | +---------+---------------------+---------------+--------+----------------+ | 1.0 | Initial public | - | Final | 2019-August-21 | | | release. | | | | +---------+---------------------+---------------+--------+----------------+ - ------------------------------------------------------------------------------ Cisco Integrated Management Controller Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-20190821-ucs-imc-dos First Published: 2019 August 21 16:00 GMT Version 1.0: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvq89223 CVE-2019-12634 CWE-264 CVSS Score: 8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to a missing authentication check in an API call. An attacker who can send a request to an affected system could cause all currently authenticated users to be logged off. Repeated exploitation could cause the inability to maintain a session in the web-based management portal. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-ucs-imc-dos Affected Products o Vulnerable Products This vulnerability affects the following Cisco products: Cisco IMC Supervisor releases: 2.2.0.3 through 2.2.0.6 Cisco UCS Director releases: 6.6.0.0 and 6.6.1.0 6.7.0.0 through 6.7.2.0 Cisco UCS Director Express for Big Data releases: 3.6.0.0 and 3.6.1.0 3.7.0.0 through 3.7.2.0 Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco fixed this vulnerability in the following software releases: Cisco IMC Supervisor releases 2.2.1.0 and later Cisco UCS Director releases 6.7.3.0 and later Cisco UCS Director Express for Big Data releases 3.7.3.0 and later At the time of publication, fixes for UCS Director 6.6 were expected to be available by late August 2019. Customers can download the Cisco IMC Supervisor software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Choose Servers - Unified Computing > Integrated Management Controller (IMC) Supervisor > IMC Supervisor 2.x . 3. Access releases by using the left pane of the IMC Supervisor 2.x page. Customers can download the Cisco UCS Director software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Choose Servers - Unified Computing > UCS Director > UCS Director 6.7 . 3. Access releases by using the left pane of the UCS Director 6.7 page. Customers can download the Cisco UCS Director Express for Big Data software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Choose Servers - Unified Computing > UCS Director > UCS Director Express for Big Data 3.7 . 3. Access releases by using the left pane of the UCS Director Express for Big Data 3.7 page. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-ucs-imc-dos Revision History o +---------+--------------------------+---------+--------+-----------------+ | Version | Description | Section | Status | Date | +---------+--------------------------+---------+--------+-----------------+ | 1.0 | Initial public release. | - | Final | 2019-August-21 | +---------+--------------------------+---------+--------+-----------------+ - ------------------------------------------------------------------------------ Cisco Integrated Management Controller Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data Command Injection Vulnerability Priority: High Advisory ID: cisco-sa-20190821-imcs-ucs-cmdinj First Published: 2019 August 21 16:00 GMT Last Updated: 2019 August 30 12:33 GMT Version 1.1: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvp19245 CVE-2019-1936 CWE-20 CVSS Score: 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an authenticated, remote attacker to execute arbitrary commands on the underlying Linux shell as the root user. Exploitation of this vulnerability requires privileged access to an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by logging in to the web-based management interface with administrator privileges and then sending a malicious request to a certain part of the interface. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imcs-ucs-cmdinj Affected Products o Vulnerable Products This vulnerability affects the following Cisco products: Cisco IMC Supervisor releases: 2.1 2.2.0.0 through 2.2.0.6 Cisco UCS Director releases: 6.0 6.5 6.6.0.0 and 6.6.1.0 6.7.0.0 and 6.7.1.0 Cisco UCS Director Express for Big Data releases: 3.0 3.5 3.6 3.7.0.0 and 3.7.1.0 Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco fixed this vulnerability in the following software releases: Cisco IMC Supervisor releases 2.2.1.0 and later Cisco UCS Director releases 6.7.2.0 and later (recommended: 6.7.3.0) Cisco UCS Director Express for Big Data releases 3.7.2.0 and later (recommended: 3.7.3.0) Customers can download the Cisco IMC Supervisor software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Choose Servers - Unified Computing > Integrated Management Controller (IMC) Supervisor > IMC Supervisor 2.x . 3. Access releases by using the left pane of the IMC Supervisor 2.x page. Customers can download the Cisco UCS Director software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Choose Servers - Unified Computing > UCS Director > UCS Director 6.7 . 3. Access releases by using the left pane of the UCS Director 6.7 page. Customers can download the Cisco UCS Director Express for Big Data software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Choose Servers - Unified Computing > UCS Director > UCS Director Express for Big Data 3.7 . 3. Access releases by using the left pane of the UCS Director Express for Big Data 3.7 page. Exploitation and Public Announcements o Security researcher Pedro Ribeiro has published details on this vulnerability in his GitHub repository and has also released corresponding Metasploit modules. Source o Cisco would like to thank independent security researcher Pedro Ribeiro for reporting this vulnerability to iDefense's Vulnerability Contributor Program. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Action Links for This Advisory o Snort Rule 50903 URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imcs-ucs-cmdinj Revision History o +---------+---------------------+---------------+--------+----------------+ | Version | Description | Section | Status | Date | +---------+---------------------+---------------+--------+----------------+ | | Updated the public | | | | | | announcement and | Exploitation | | | | 1.1 | availability of | and Public | Final | 2019-August-30 | | | public exploit | Announcements | | | | | code. | | | | +---------+---------------------+---------------+--------+----------------+ | 1.0 | Initial public | - | Final | 2019-August-21 | | | release. | | | | +---------+---------------------+---------------+--------+----------------+ - ------------------------------------------------------------------------------ Cisco Integrated Management Controller Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data Authentication Bypass Vulnerability Priority: Critical Advisory ID: cisco-sa-20190821-imcs-ucs-authby First Published: 2019 August 21 16:00 GMT Last Updated: 2019 August 30 12:30 GMT Version 1.1: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvp19229 CVE-2019-1937 CWE-287 CVSS Score: 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to acquire a valid session token with administrator privileges, bypassing user authentication. The vulnerability is due to insufficient request header validation during the authentication process. An attacker could exploit this vulnerability by sending a series of malicious requests to an affected device. An exploit could allow the attacker to use the acquired session token to gain full administrator access to the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imcs-ucs-authby Affected Products o Vulnerable Products This vulnerability affects the following Cisco products: Cisco IMC Supervisor releases: 2.2.0.3 through 2.2.0.6 Cisco UCS Director releases: 6.6.0.0 and 6.6.1.0 6.7.0.0 and 6.7.1.0 Cisco UCS Director Express for Big Data releases: 3.6 3.7.0.0 and 3.7.1.0 Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco fixed this vulnerability in the following software releases: Cisco IMC Supervisor releases 2.2.1.0 and later Cisco UCS Director releases 6.7.2.0 and later (recommended: 6.7.3.0) Cisco UCS Director Express for Big Data releases 3.7.2.0 and later (recommended: 3.7.3.0) Customers can download the Cisco IMC Supervisor software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Choose Servers - Unified Computing > Integrated Management Controller (IMC) Supervisor > IMC Supervisor 2.x . 3. Access releases by using the left pane of the IMC Supervisor 2.x page. Customers can download the Cisco UCS Director software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Choose Servers - Unified Computing > UCS Director > UCS Director 6.7 . 3. Access releases by using the left pane of the UCS Director 6.7 page. Customers can download the Cisco UCS Director Express for Big Data software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Choose Servers - Unified Computing > UCS Director > UCS Director Express for Big Data 3.7 . 3. Access releases by using the left pane of the UCS Director Express for Big Data 3.7 page. Exploitation and Public Announcements o Security researcher Pedro Ribeiro has published details on this vulnerability in his GitHub repository and has also released corresponding Metasploit modules. Source o Cisco would like to thank independent security researcher Pedro Ribeiro for reporting this vulnerability to iDefense's Vulnerability Contributor Program. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imcs-ucs-authby Revision History o +---------+---------------------+---------------+--------+----------------+ | Version | Description | Section | Status | Date | +---------+---------------------+---------------+--------+----------------+ | | Updated the public | | | | | | announcement and | Exploitation | | | | 1.1 | availability of | and Public | Final | 2019-August-30 | | | public exploit | Announcements | | | | | code. | | | | +---------+---------------------+---------------+--------+----------------+ | 1.0 | Initial public | - | Final | 2019-August-21 | | | release. | | | | +---------+---------------------+---------------+--------+----------------+ - ------------------------------------------------------------------------------- Cisco Integrated Management Controller Substring Comparison Privilege Escalation Vulnerability Priority: High Advisory ID: cisco-sa-20190821-imc-privescal First Published: 2019 August 21 16:00 GMT Version 1.0: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvo36080 CVE-2019-1907 CWE-285 CVSS Score: 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the web server of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to set sensitive configuration values and gain elevated privileges. The vulnerability is due to improper handling of substring comparison operations that are performed by the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected software. A successful exploit could allow the attacker with read-only privileges to gain administrator privileges. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imc-privescal Affected Products o Vulnerable Products This vulnerability affects Cisco UCS C-Series and S-Series Servers in standalone mode if they are running a vulnerable release of Cisco IMC Software. For information about fixed software releases, consult the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: UCS E-Series Servers 5000 Series Enterprise Network Compute System FI-Attached servers managed by UCS Manager, including B-Series, C-Series, and S-Series Servers Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to the appropriate Cisco UCS C-Series and S-Series software release as indicated in the following table: Cisco IMC Software Release First Fixed Release 1.4 Not vulnerable 1.5 Not vulnerable 2.0 Not vulnerable 3.0 Not vulnerable 4.0 4.0(2f), 4.0(4b) Customers can download Cisco IMC Software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Servers - Unified Computing > UCS C-Series Rack-Mount Standalone Server Software . 3. In the right pane, choose the appropriate Cisco UCS C-Series platform. 4. On the Select a Software Type page, click Unified Computing System (UCS) Server Firmware . 5. Access releases by using the left pane of the page. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imc-privescal Revision History o +---------+--------------------------+---------+--------+-----------------+ | Version | Description | Section | Status | Date | +---------+--------------------------+---------+--------+-----------------+ | 1.0 | Initial public release. | - | Final | 2019-August-21 | +---------+--------------------------+---------+--------+-----------------+ - ----------------------------------------------------------------------------- Cisco Integrated Management Controller Privilege Escalation Vulnerability Priority: High Advisory ID: cisco-sa-20190821-imc-privilege First Published: 2019 August 21 16:00 GMT Version 1.0: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvn21011 CVE-2019-1863 CWE-285 CVSS Score: 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:X/RL:X/RC:X Summary o A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated, remote attacker to make unauthorized changes to the system configuration. The vulnerability is due to insufficient authorization enforcement. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected software. A successful exploit could allow a user with read-only privileges to change critical system configurations using administrator privileges. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imc-privilege Affected Products o Vulnerable Products This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco IMC Software: UCS C-Series and S-Series Servers in standalone mode UCS E-Series Servers 5000 Series Enterprise Network Compute System (ENCS) Platforms For information about affected software releases, consult the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco FI-Attached servers that are managed by UCS Manager: UCS B-Series Servers UCS C-Series Servers UCS S-Series Servers Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco UCS C-Series and S-Series Servers Customers are advised to upgrade to the appropriate Cisco UCS C-Series and S-Series software release as indicated in the following table: Cisco IMC Software Release First Fixed Release 1.4 Not vulnerable 1.5 1.5(9g) 2.0 2.0(13o) 3.0 3.0(4k) 4.0 4.0(1d), 4.0(2c), 4.0(4b) Customers can download Cisco IMC Software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Servers - Unified Computing > UCS C-Series Rack-Mount Standalone Server Software . 3. In the right pane, choose the appropriate Cisco UCS C-Series platform. 4. On the Select a Software Type page, click Unified Computing System (UCS) Server Firmware . 5. Access releases by using the left pane of the page. Cisco UCS E-Series Servers Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for Cisco UCS E-Series Servers. Customers can download the software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Servers - Unified Computing > UCS E-Series Software . 3. In the right pane, choose the appropriate Cisco UCS E-Series platform. 4. On the Select a Software Type page, click Unified Computing System (UCS) Server Firmware . 5. Access releases by using the left pane of the page. Cisco 5000 Series Enterprise Network Compute System Platforms Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for Cisco 5000 Series ENCS Platforms. Customers can download the software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Routers > Network Functions Virtualization > 5000 Series Enterprise Network Compute System . 3. In the right pane, choose the appropriate ENCS platform. 4. On the Select a Software Type page, click ENCS Software . 5. Access releases by using the left pane of the page. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imc-privilege Revision History o +---------+--------------------------+---------+--------+-----------------+ | Version | Description | Section | Status | Date | +---------+--------------------------+---------+--------+-----------------+ | 1.0 | Initial public release. | - | Final | 2019-August-21 | +---------+--------------------------+---------+--------+-----------------+ - ------------------------------------------------------------------------------ Cisco Integrated Management Controller Information Disclosure Vulnerability Priority: High Advisory ID: cisco-sa-20190821-imc-infodisc First Published: 2019 August 21 16:00 GMT Version 1.0: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvo36096 CVE-2019-1908 CWE-200 CVSS Score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X Summary o A vulnerability in the Intelligent Platform Management Interface (IPMI) implementation of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to view sensitive system information. The vulnerability is due to insufficient security restrictions imposed by the affected software. A successful exploit could allow the attacker to view sensitive information that belongs to other users. The attacker could then use this information to conduct additional attacks. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imc-infodisc Affected Products o Vulnerable Products This vulnerability affects Cisco UCS C-Series and S-Series Servers in standalone mode if they are running a vulnerable release of Cisco IMC Software. For information about fixed software releases, consult the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: UCS E-Series Servers 5000 Series Enterprise Network Compute System FI-Attached servers managed by UCS Manager, including UCS B-Series, C-Series, and S-Series Servers Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to the appropriate Cisco UCS C-Series and S-Series software release as indicated in the following table: Cisco IMC Software Release First Fixed Release 1.4 Not vulnerable 1.5 Not vulnerable 2.0 2.0(13o) 3.0 3.0(4k) 4.0 4.0(2f), 4.0(4b) Customers can download Cisco IMC Software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Servers - Unified Computing > UCS C-Series Rack-Mount Standalone Server Software . 3. In the right pane, choose the appropriate Cisco UCS C-Series platform. 4. On the Select a Software Type page, click Unified Computing System (UCS) Server Firmware . 5. Access releases by using the left pane of the page. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imc-infodisc Revision History o +---------+--------------------------+---------+--------+-----------------+ | Version | Description | Section | Status | Date | +---------+--------------------------+---------+--------+-----------------+ | 1.0 | Initial public release. | - | Final | 2019-August-21 | +---------+--------------------------+---------+--------+-----------------+ - ------------------------------------------------------------------------------ Cisco Integrated Management Controller Command Injection Vulnerability Priority: High Advisory ID: cisco-sa-20190821-imc-cmdinj-1850 First Published: 2019 August 21 16:00 GMT Version 1.0: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvn20998CSCvq09455 CVE-2019-1850 CWE-78 CVSS Score: 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges on an affected device. An attacker would need to have valid administrator credentials on the device. The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker with elevated privileges could exploit this vulnerability by sending crafted commands to the administrative web management interface of the affected software. A successful exploit could allow the attacker to inject and execute arbitrary, system-level commands with root privileges on an affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imc-cmdinj-1850 Affected Products o Vulnerable Products This vulnerability affects the following Cisco products: UCS C-Series and S-Series Servers in standalone mode that are running Cisco IMC Software earlier than the first fixed releases of 3.0 and 4.0. UCS E-Series Servers that are running Cisco IMC Software earlier than the first fixed release of 3.2(8). 5000 Series Enterprise Network Compute System (ENCS) Platforms that are running Cisco IMC Software earlier than the first fixed release of 3.2 (8). For information about affected software releases, consult the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco FI-Attached servers that are managed by UCS Manager: UCS B-Series Servers UCS C-Series Servers UCS S-Series Servers Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to the appropriate UCS C-Series and S-Series software release as indicated in the following table: Cisco IMC Software Release First Fixed Release 1.4 Not vulnerable 1.5 Not vulnerable 2.0 Not vulnerable 3.0 3.0(4k) 4.0 4.0(2f),4.0(4b) Customers can download Cisco IMC Software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Servers - Unified Computing > UCS C-Series Rack-Mount Standalone Server Software . 3. In the right pane, choose the appropriate Cisco UCS C-Series platform. 4. On the Select a Software Type page, click Unified Computing System (UCS) Server Firmware . 5. Access releases by using the left pane of the page. Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for Cisco UCS E-Series Servers. Customers can download the software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Servers - Unified Computing > UCS E-Series Software . 3. In the right pane, choose the appropriate Cisco UCS E-Series platform. 4. On the Select a Software Type page, click Unified Computing System (UCS) Server Firmware . 5. Access releases by using the left pane of the page. Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for Cisco 5000 Series Enterprise Network Compute System (ENCS) Platforms. Customers can download the software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Routers > Network Functions Virtualization > 5000 Series Enterprise Network Compute System . 3. In the right pane, choose the appropriate ENCS platform. 4. On the Select a Software Type page, click ENCS Software . 5. Access releases by using the left pane of the page. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imc-cmdinj-1850 Revision History o +---------+--------------------------+---------+--------+-----------------+ | Version | Description | Section | Status | Date | +---------+--------------------------+---------+--------+-----------------+ | 1.0 | Initial public release. | - | Final | 2019-August-21 | +---------+--------------------------+---------+--------+-----------------+ - ------------------------------------------------------------------------------ Cisco Integrated Management Controller Command Injection Vulnerability Priority: High Advisory ID: cisco-sa-20190821-imc-cmdinj-1864 First Published: 2019 August 21 16:00 GMT Version 1.0: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvn21003 CVE-2019-1864 CWE-78 CVSS Score: 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges on an affected device. The vulnerability is due to insufficient validation of command input by the affected software. An attacker could exploit this vulnerability by sending malicious commands to the web-based management interface of the affected software. A successful exploit could allow the attacker, with read-only privileges, to inject and execute arbitrary, system-level commands with root privileges on an affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imc-cmdinj-1864 Affected Products o Vulnerable Products This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco IMC Software: UCS C-Series and S-Series Servers in standalone mode UCS E-Series Servers 5000 Series Enterprise Network Compute System (ENCS) Platforms For information about affected software releases, consult the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco FI-Attached servers managed by UCS Manager: Cisco UCS B-Series Servers Cisco UCS C-Series Servers Cisco UCS S-Series Servers Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco UCS C-Series and S-Series Servers Customers are advised to upgrade to the appropriate UCS C-Series and S-Series Software release as indicated in the following table: Cisco IMC Software Release First Fixed Release 1.4 Not vulnerable 1.5 1.5(9g) 2.0 2.0(13o) 3.0 3.0(4k) 4.0 4.0(2f),4.0(4b) Customers can download Cisco IMC Software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Servers - Unified Computing > UCS C-Series Rack-Mount Standalone Server Software . 3. In the right pane, choose the appropriate Cisco UCS C-Series platform. 4. On the Select a Software Type page, click Unified Computing System (UCS) Server Firmware . 5. Access releases by using the left pane of the page. Cisco UCS E-Series Servers Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for Cisco UCS E-Series Servers. Customers can download the software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Servers - Unified Computing > UCS E-Series Software . 3. In the right pane, choose the appropriate Cisco UCS E-Series platform. 4. On the Select a Software Type page, click Unified Computing System (UCS) Server Firmware . 5. Access releases by using the left pane of the page. Cisco 5000 Series Enterprise Network Compute System Platforms Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for Cisco 5000 Series Enterprise Network Compute System (ENCS) Platforms. Customers can download the software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Routers > Network Functions Virtualization > 5000 Series Enterprise Network Compute System . 3. In the right pane, choose the appropriate ENCS platform. 4. On the Select a Software Type page, click ENCS Software . 5. Access releases by using the left pane of the page. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imc-cmdinj-1864 Revision History o +---------+--------------------------+---------+--------+-----------------+ | Version | Description | Section | Status | Date | +---------+--------------------------+---------+--------+-----------------+ | 1.0 | Initial public release. | - | Final | 2019-August-21 | +---------+--------------------------+---------+--------+-----------------+ - ------------------------------------------------------------------------------ Cisco Integrated Management Controller Command Injection Vulnerability Priority: High Advisory ID: cisco-sa-20190821-imc-cmdinj-1865 First Published: 2019 August 21 16:00 GMT Version 1.0: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvn20993 CVE-2019-1865 CWE-78 CVSS Score: 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges on an affected device. The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by invoking an interface monitoring mechanism with a crafted argument on the affected software. A successful exploit could allow the attacker to inject and execute arbitrary, system-level commands with root privileges on an affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imc-cmdinj-1865 Affected Products o Vulnerable Products This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco IMC Software: UCS C-Series and S-Series Servers in standalone mode UCS E-Series Servers 5000 Series Enterprise Network Compute System (ENCS) Platforms For information about affected software releases, consult the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco FI-Attached servers managed by UCS Manager: Cisco UCS B-Series Servers Cisco UCS C-Series Servers Cisco UCS S-Series Servers Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco UCS C-Series and S-Series Servers Customers are advised to upgrade to the appropriate UCS C-Series and S-Series Software release as indicated in the following table: Cisco IMC Software Release First Fixed Release 1.4 Not vulnerable 1.5 1.5(9g) 2.0 2.0(13o) 3.0 3.0(4k) 4.0 4.0(1d),4.0(2c),4.0(4b) Customers can download Cisco IMC Software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Servers - Unified Computing > UCS C-Series Rack-Mount Standalone Server Software . 3. In the right pane, choose the appropriate Cisco UCS C-Series platform. 4. On the Select a Software Type page, click Unified Computing System (UCS) Server Firmware . 5. Access releases by using the left pane of the page. Cisco UCS E-Series Servers Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for Cisco UCS E-Series Servers. Customers can download the software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Servers - Unified Computing > UCS E-Series Software . 3. In the right pane, choose the appropriate Cisco UCS E-Series platform. 4. On the Select a Software Type page, click Unified Computing System (UCS) Server Firmware . 5. Access releases by using the left pane of the page. Cisco 5000 Series Enterprise Network Compute System Platforms Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for Cisco 5000 Series Enterprise Network Compute System (ENCS) Platforms. Customers can download the software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Routers > Network Functions Virtualization > 5000 Series Enterprise Network Compute System . 3. In the right pane, choose the appropriate ENCS platform. 4. On the Select a Software Type page, click ENCS Software . 5. Access releases by using the left pane of the page. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imc-cmdinj-1865 Revision History o +---------+--------------------------+---------+--------+-----------------+ | Version | Description | Section | Status | Date | +---------+--------------------------+---------+--------+-----------------+ | 1.0 | Initial public release. | - | Final | 2019-August-21 | +---------+--------------------------+---------+--------+-----------------+ - ------------------------------------------------------------------------------ Cisco Integrated Management Controller Command Injection Vulnerability Priority: High Advisory ID: cisco-sa-20190821-imc-cmdinject-1634 First Published: 2019 August 21 16:00 GMT Version 1.0: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvo35971 CVE-2019-1634 CWE-78 CVSS Score: 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the Intelligent Platform Management Interface (IPMI) of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges on the underlying operating system (OS). The vulnerability is due to insufficient input validation of user-supplied commands. An attacker who has administrator privileges and access to the network where the IPMI resides could exploit this vulnerability by submitting crafted input to the affected commands. A successful exploit could allow the attacker to gain root privileges on the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imc-cmdinject-1634 Affected Products o Vulnerable Products This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco IMC Software: UCS C-Series and S-Series Servers in standalone mode UCS E-Series Servers 5000 Series Enterprise Network Compute System (ENCS) Platforms For information about affected software releases, consult the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco FI-Attached servers that are managed by UCS Manager: UCS B-Series Servers UCS C-Series Servers UCS S-Series Servers Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco UCS C-Series and S-Series Servers Customers are advised to upgrade to the appropriate Cisco UCS C-Series and S-Series software release as indicated in the following table: Cisco IMC Software Release First Fixed Release 1.4 Not vulnerable 1.5 1.5(9g) 2.0 2.0(13o) 3.0 3.0(4k) 4.0 4.0(2f), 4.0(4b) Customers can download Cisco IMC Software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Servers - Unified Computing > UCS C-Series Rack-Mount Standalone Server Software . 3. In the right pane, choose the appropriate Cisco UCS C-Series platform. 4. On the Select a Software Type page, click Unified Computing System (UCS) Server Firmware . 5. Access releases by using the left pane of the page. Cisco UCS E-Series Servers Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for Cisco UCS E-Series Servers. Customers can download the software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Servers - Unified Computing > UCS E-Series Software . 3. In the right pane, choose the appropriate Cisco UCS E-Series platform. 4. On the Select a Software Type page, click Unified Computing System (UCS) Server Firmware . 5. Access releases by using the left pane of the page. Cisco 5000 Series Enterprise Network Compute System Platforms Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for Cisco 5000 Series ENCS platforms. Customers can download the software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Routers > Network Functions Virtualization > 5000 Series Enterprise Network Compute System . 3. In the right pane, choose the appropriate ENCS platform. 4. On the Select a Software Type page, click ENCS Software . 5. Access releases by using the left pane of the page. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imc-cmdinject-1634 Revision History o +---------+--------------------------+---------+--------+-----------------+ | Version | Description | Section | Status | Date | +---------+--------------------------+---------+--------+-----------------+ | 1.0 | Initial public release. | - | Final | 2019-August-21 | +---------+--------------------------+---------+--------+-----------------+ - ------------------------------------------------------------------------------ Cisco Integrated Management Controller Command Injection Vulnerability Priority: High Advisory ID: cisco-sa-20190821-ucs-cimc First Published: 2019 August 21 16:00 GMT Version 1.0: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvo01180 CVE-2019-1885 CWE-78 CVSS Score: 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the Redfish protocol of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to inject and execute arbitrary commands with root privileges on an affected device. The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by sending crafted authenticated commands to the web-based management interface of the affected software. A successful exploit could allow the attacker to inject and execute arbitrary commands on an affected device with root privileges. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-ucs-cimc Affected Products o Vulnerable Products This vulnerability affects Cisco UCS C-Series and S-Series Servers in Standalone mode that are running Cisco IMC Software prior to the first fixed releases of 3.0 and 4.0. For information about affected software releases, consult the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: UCS E-Series Servers 5000 Series Enterprise Network Compute System FI-Attached servers managed by UCS Manager, including UCS B-Series, C-Series, and S-Series Servers Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to the appropriate UCS C-Series and S-Series software release as indicated in the following table: Cisco IMC Software Release First Fixed Release 1.4 Not vulnerable 1.5 Not vulnerable 2.0 Not vulnerable 3.0 3.0(4k) 4.0 4.0(2f),4.0(4b) Customers can download Cisco IMC Software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Servers - Unified Computing > UCS C-Series Rack-Mount Standalone Server Software . 3. In the right pane, choose the appropriate Cisco UCS C-Series platform. 4. On the Select a Software Type page, click Unified Computing System (UCS) Server Firmware . 5. Access releases by using the left pane of the page. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-ucs-cimc Revision History o +---------+--------------------------+---------+--------+-----------------+ | Version | Description | Section | Status | Date | +---------+--------------------------+---------+--------+-----------------+ | 1.0 | Initial public release. | - | Final | 2019-August-21 | +---------+--------------------------+---------+--------+-----------------+ - ------------------------------------------------------------------------------ Cisco Integrated Management Controller CSR Generation Command Injection Vulnerability Priority: High Advisory ID: cisco-sa-20190821-imc-cmdinject-1896 First Published: 2019 August 21 16:00 GMT Version 1.0: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvo36057 CVE-2019-1896 CWE-78 CVSS Score: 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to inject arbitrary commands and obtain root privileges. The vulnerability is due to insufficient validation of user-supplied input in the Certificate Signing Request (CSR) function of the web-based management interface. An attacker could exploit this vulnerability by submitting a crafted CSR in the web-based management interface. A successful exploit could allow an attacker with administrator privileges to execute arbitrary commands on the device with full root privileges. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imc-cmdinject-1896 Affected Products o Vulnerable Products This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco IMC Software: UCS C-Series and S-Series Servers in standalone mode UCS E-Series Servers 5000 Series Enterprise Network Compute System (ENCS) Platforms For information about affected software releases, consult the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco FI-Attached servers that are managed by UCS Manager: UCS B-Series Servers UCS C-Series Servers UCS S-Series Servers Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco UCS C-Series and S-Series Servers Customers are advised to upgrade to the appropriate Cisco UCS C-Series and S-Series software release as indicated in the following table: Cisco IMC Software Release First Fixed Release 1.4 Not vulnerable 1.5 Not vulnerable 2.0 2.0(13o) 3.0 3.0(4k) 4.0 4.0(2f), 4.0(4b) Customers can download Cisco IMC Software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Servers - Unified Computing > UCS C-Series Rack-Mount Standalone Server Software . 3. In the right pane, choose the appropriate Cisco UCS C-Series platform. 4. On the Select a Software Type page, click Unified Computing System (UCS) Server Firmware . 5. Access releases by using the left pane of the page. Cisco UCS E-Series Servers Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for Cisco UCS E-Series Servers. Customers can download the software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Servers - Unified Computing > UCS E-Series Software . 3. In the right pane, choose the appropriate Cisco UCS E-Series platform. 4. On the Select a Software Type page, click Unified Computing System (UCS) Server Firmware . 5. Access releases by using the left pane of the page. Cisco 5000 Series Enterprise Network Compute System Platforms Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for Cisco 5000 Series ENCS Platforms. Customers can download the software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Routers > Network Functions Virtualization > 5000 Series Enterprise Network Compute System . 3. In the right pane, choose the appropriate ENCS platform. 4. On the Select a Software Type page, click ENCS Software . 5. Access releases by using the left pane of the page. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imc-cmdinject-1896 Revision History o +---------+--------------------------+---------+--------+-----------------+ | Version | Description | Section | Status | Date | +---------+--------------------------+---------+--------+-----------------+ | 1.0 | Initial public release. | - | Final | 2019-August-21 | +---------+--------------------------+---------+--------+-----------------+ - ------------------------------------------------------------------------------ Cisco Integrated Management Controller CLI Command Injection Vulnerability Priority: High Advisory ID: cisco-sa-20190821-cimc-cli-inject First Published: 2019 August 21 16:00 GMT Version 1.0: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvo35996 CVE-2019-1883 CWE-78 CVSS Score: 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the command-line interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker with read-only credentials to inject arbitrary commands that could allow them to obtain root privileges. The vulnerability is due to insufficient validation of user-supplied input on the command-line interface. An attacker could exploit this vulnerability by authenticating with read-only privileges via the CLI of an affected device and submitting crafted input to the affected commands. A successful exploit could allow an attacker to execute arbitrary commands on the device with root privileges. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-cimc-cli-inject Affected Products o Vulnerable Products This vulnerability affects the following Cisco products: UCS C-Series and S-Series Servers in standalone mode that are running Cisco IMC Software earlier than the first fixed releases of 3.0 and 4.0. UCS E-Series Servers that are running Cisco IMC Software earlier than the first fixed release of 3.2(8). 5000 Series Enterprise Network Compute System (ENCS) Platforms that are running Cisco IMC Software earlier than the first fixed release of 3.2 (8). For information about affected software releases, consult the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco FI-Attached servers managed by UCS Manager: Cisco UCS B-Series Servers Cisco UCS C-Series Servers Cisco UCS S-Series Servers Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to the appropriate UCS C-Series and S-Series software release as indicated in the following table: Cisco IMC Software Release First Fixed Release 1.4 Not vulnerable 1.5 Not vulnerable 2.0 Not vulnerable 3.0 3.0(4k) 4.0 4.0(2f),4.0(4b) Customers can download Cisco IMC Software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Servers - Unified Computing > UCS C-Series Rack-Mount Standalone Server Software . 3. In the right pane, choose the appropriate Cisco UCS C-Series platform. 4. On the Select a Software Type page, click Unified Computing System (UCS) Server Firmware . 5. Access releases by using the left pane of the page. Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for Cisco UCS E-Series Servers. Customers can download the software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Servers - Unified Computing > UCS E-Series Software . 3. In the right pane, choose the appropriate Cisco UCS E-Series platform. 4. On the Select a Software Type page, click Unified Computing System (UCS) Server Firmware . 5. Access releases by using the left pane of the page. Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for Cisco 5000 Series Enterprise Network Compute System (ENCS) Platforms. Customers can download the software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Routers > Network Functions Virtualization > 5000 Series Enterprise Network Compute System . 3. In the right pane, choose the appropriate ENCS platform. 4. On the Select a Software Type page, click ENCS Software . 5. Access releases by using the left pane of the page. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-cimc-cli-inject Revision History o +---------+--------------------------+---------+--------+-----------------+ | Version | Description | Section | Status | Date | +---------+--------------------------+---------+--------+-----------------+ | 1.0 | Initial public release. | - | Final | 2019-August-21 | +---------+--------------------------+---------+--------+-----------------+ - ------------------------------------------------------------------------------ Cisco Integrated Management Controller Buffer Overflow Vulnerability Priority: High Advisory ID: cisco-sa-20190821-imc-bo First Published: 2019 August 21 16:00 GMT Version 1.0: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvo36122 CVE-2019-1871 CWE-119 CVSS Score: 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the Import Cisco IMC configuration utility of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition and implement arbitrary commands with root privileges on an affected device. The vulnerability is due to improper bounds checking by the import-config process. An attacker could exploit this vulnerability by sending malicious packets to an affected device. When the packets are processed, an exploitable buffer overflow condition may occur. A successful exploit could allow the attacker to implement arbitrary code on the affected device with elevated privileges. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imc-bo Affected Products o Vulnerable Products This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco IMC Software: UCS C-Series and S-Series Servers in standalone mode UCS E-Series Servers 5000 Series Enterprise Network Compute System (ENCS) Platform For information about affected software releases, consult the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco FI-Attached servers managed by UCS Manager: Cisco UCS B-Series Servers Cisco UCS C-Series Servers Cisco UCS S-Series Servers Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco UCS C-Series and S-Series Servers Customers are advised to upgrade to the appropriate UCS C-Series and S-Series software release as indicated in the following table: Cisco IMC Software Release First Fixed Release 1.4 Not vulnerable 1.5 Not vulnerable 2.0 Not vulnerable 3.0 3.0(4k) 4.0 4.0(2f),4.0(4b) Customers can download Cisco IMC Software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Servers - Unified Computing > UCS C-Series Rack-Mount Standalone Server Software . 3. In the right pane, choose the appropriate Cisco UCS C-Series platform. 4. On the Select a Software Type page, click Unified Computing System (UCS) Server Firmware . 5. Access releases by using the left pane of the page. Cisco UCS E-Series Servers Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for Cisco UCS E-Series Servers. Customers can download the software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Servers - Unified Computing > UCS E-Series Software . 3. In the right pane, choose the appropriate Cisco UCS E-Series platform. 4. On the Select a Software Type page, click Unified Computing System (UCS) Server Firmware . 5. Access releases by using the left pane of the page. Cisco 5000 Series Enterprise Network Compute System (ENCS) Platforms Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for Cisco 5000 Series ENCS Platforms. Customers can download the software from the Software Center on Cisco.com by doing the following: 1. Click Browse all . 2. Navigate to Routers > Network Functions Virtualization > 5000 Series Enterprise Network Compute System . 3. In the right pane, choose the appropriate ENCS platform. 4. On the Select a Software Type page, click ENCS Software . 5. Access releases by using the left pane of the page. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190821-imc-bo Revision History o +---------+--------------------------+---------+--------+-----------------+ | Version | Description | Section | Status | Date | +---------+--------------------------+---------+--------+-----------------+ | 1.0 | Initial public release. | - | Final | 2019-August-21 | +---------+--------------------------+---------+--------+-----------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXWxvtGaOgq3Tt24GAQh23Q//aI+SIegP5YWilR2RoOaNihyfT2rKXw0N hs1jqiIlBeFRV81tWRLAd9ZxNs4NTWskuKNGxXrqO6ttKTacNQXMURW/CJG8KotE HLlxE8Na27N2E/VHKUKJybNXtXv9IrBpxrRPxEWSqLgga3STVWq5W+mU0JvPHF6s b9AsNmQxh+I/7pHjMgrOuVfGOYmRXYsX4w2iAg3OFgyP5MHYs145KWJCb2MpIjiG Z0plmOZ4wgYYcBiKQsbZDFP4YZWTKU1ZU9Fil11Og3xlUMDP2HziSWCzzWbOMBMl rzyA5OfH/CYr64V3+x4ymbZjTS7Hbyr1tMJgVD6H+g9rE6RZRBm+eck7j2A6WnAZ kpUwaYvjjTE394M1TjdpmXqQG5COdfIjVNQfGle9oSea/WyqHedOf1cfpe1SwFZl XkfzKW8AQO6JfOQGDiCr3upG/7cEGwcOCy2bDViph4TaLbKm2x70SPZjkHpX4f2j tICGii5bkOF0xpqlDAkU7o148R8tB0dIVLFwGndrt8iPPnO7s5syvQ7OJBpSR4fm BG3X3eYBFdf9QW3EwJnuaFqEe8F+xiEi7HUsszcSbmE5R/kPKcQHh4WcA3FHe8PH I6KNZTA24S4sJ3il3ObJajDlVTZHMIYTke/rpF/FGjz6QszyXBBIC9Iv21BFq/My R4NEcE1KgOQ= =HfLb -----END PGP SIGNATURE-----