Guest

Products & Services

Multiple Vulnerabilities in Cisco Unified Computing System

Advisory ID: cisco-sa-20130424-ucsmulti

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130424-ucsmulti

Revision 1.2

Last Updated  2013 June 6 20:24  UTC (GMT)

For Public Release 2013 April 24 16:00  UTC (GMT)


Summary

Managed and standalone Cisco Unified Computing System (UCS) deployments contain one or more of the vulnerabilities:

  • Cisco Unified Computing System LDAP User Authentication Bypass Vulnerability
  • Cisco Unified Computing System IPMI Buffer Overflow Vulnerability
  • Cisco Unified Computing Management API Denial of Service Vulnerability
  • Cisco Unified Computing System Information Disclosure Vulnerability
  • Cisco Unified Computing System KVM Authentication Bypass Vulnerability
Cisco has released free software updates that address these vulnerabilities.  These vulnerabilities affect only Cisco UCS.  Additional vulnerabilities that affect the NX-OS base operating system of UCS are described in Multiple Vulnerabilities in Cisco NX-OS-Based Products.


This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130424-ucsmulti

Affected Products

Vulnerable Products

The following products are affected by one or more of the vulnerabilities detailed in this advisory:

Cisco Unified Computing System 6100 Series Fabric Interconnect
Cisco Unified Computing System 6200 Series Fabric Interconnect
Cisco Unified Computing System Cisco Integrated Management Controllers

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by these vulnerabilities.

Details

The Cisco Unified Computing System Fabric Interconnect is the switching fabric and management component of an integrated Cisco UCS platform.  Certain vulnerabilities detailed in this section are related to protocols, and while the service is hosted on the Fabric Interconnect the protocols may interact with other components in the Cisco UCS platform such as the Cisco Integrated Management Controller (Cisco IMC) on a Cisco UCS C-Series or B-Series server.

Cisco Unified Computing System LDAP User Authentication Bypass Vulnerability

Cisco UCS Manager contains an LDAP authentication bypass vulnerability. This vulnerability could allow an unauthenticated, remote attacker who can access the Cisco UCS Manager Web Console to authenticate as a specific user without providing valid authentication credentials. To exploit the vulnerability the attacker would need to submit a malformed request to a Cisco UCS Manager login page designed to leverage this vulnerability.

Only Cisco UCS systems that have been configured for direct LDAP integration are affected and certain LDAP options must be enabled on the LDAP server the Cisco UCS Manager is authenticating against. The vulnerability does not affect other authentication methods such as local, RADIUS, authentication, authorization, and accounting (AAA), or TACACS+.

This vulnerability is documented in Cisco bug ID CSCtc91207 (registered customers only) and has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2013-1182.

Cisco Unified Computing System IPMI Buffer Overflow Vulnerability


Cisco UCS Manager contains a buffer overflow vulnerability in the Intelligent Platform Management Interface (IPMI) implementation that is hosted on the Cisco UCS Fabric Interconnect. An unauthenticated, remote attacker who can submit a properly malformed request to the IPMI service via UDP port 623 could trigger a buffer overflow. This could allow the attacker to execute arbitrary code with elevated privileges.

This vulnerability does not require a TCP three-way handshake to exploit because the service runs over UDP.

This vulnerability is documented in Cisco bug ID CSCtd32371 (registered customers only) and has been assigned the CVE ID CVE-2013-1183.

Cisco Unified Computing Management API Denial of Service Vulnerability

Cisco UCS Manager contains a denial of service vulnerability in the management API. An unauthenticated, remote attacker who can submit a properly malformed request to the XML API management service of the Cisco UCS Manager could cause the service to stop responding. As a result, administrators could not make configuration changes or perform management actions on the Fabric Interconnect and computing resources managed by the device. A restart of the Fabric Interconnect is required to restore functionality.

This vulnerability is documented by Cisco bug ID CSCtg48206 (registered customers only) and has been assigned the CVE ID CVE-2013-1184.

Cisco Unified Computing System Information Disclosure Vulnerability


Cisco UCS Manager contains an information disclosure vulnerability. An unauthenticated, remote attacker could access technical support or local backup files that were created by a device administrator. The attacker would need to access the web interface of the Cisco UCS Manager to exploit this vulnerability.

The files that the attacker could access contain sensitive information that could lead to the complete compromise of an affected Cisco UCS platform. The attacker must know the naming convention used by the administrator as well as the date that the files were created. These files are not automatically created on a device, but occur when an administrator creates a tech support bundle file or performs an on-device configuration backup.

This vulnerability is documented by Cisco bug ID CSCtq86543 (registered customers only) and has been assigned the CVE ID CVE-2013-1185

Cisco Unified Computing System KVM Authentication Bypass Vulnerability

Cisco UCS platforms contain an IP keyboard, video, mouse (KVM) authentication bypass vulnerability. An unauthenticated, remote attacker who can send a malicious KVM authentication request to the Cisco IMC of a managed computing resource could bypass authentication and access to the IP KVM console of the physical or virtual device. This vulnerability could also allow an unauthenticated, remote attacker to join an existing, active IP KVM session if the active owner confirms the request or fails to respond to the request within 60 seconds.

This vulnerability is documented by Cisco bug ID CSCts53746 (registered customers only) and has been assigned the CVE ID CVE-2013-1186.

Vulnerability Scoring Details

Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response.

Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks.

Cisco has provided additional information regarding CVSS at the following link:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link:


http://intellishield.cisco.com/security/alertmanager/cvss

CSCtc91207 - Cisco Unified Computing System LDAP User Authentication Bypass Vulnerability

Calculate the environmental score of CSCtc91207

CVSS Base Score - 9.3

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Medium

None

Complete

Complete

Complete

CVSS Temporal Score - 7.7

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed




CSCtd32371 - Cisco Unified Computing System IPMI Buffer Overflow Vulnerability

Calculate the environmental score of CSCtd32371

CVSS Base Score - 10.0

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

Complete

Complete

Complete

CVSS Temporal Score - 8.3

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed




CSCtg48206 - Cisco Unified Computing Management API Denial of Service Vulnerability

Calculate the environmental score of CSCtg48206

CVSS Base Score - 7.8

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

None

None

Complete

CVSS Temporal Score - 6.4

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed




CSCtq86543 - Cisco Unified Computing System Information Disclosure Vulnerability

Calculate the environmental score of CSCtq86543

CVSS Base Score - 9.3

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Medium

None

Complete

Complete

Complete

CVSS Temporal Score - 7.7

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed




CSCts53746 - Cisco Unified Computing System KVM Authentication Bypass Vulnerability

Calculate the environmental score of CSCts53746

CVSS Base Score - 7.5

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

Partial

Partial

Partial

CVSS Temporal Score - 6.2

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed

Impact

Successful exploitation of the vulnerabilities detailed in this advisory could allow an attacker to take complete control of the affected device or cause a persistent denial of service condition.

Successful exploitation of the IP KVM vulnerability will allow an attacker to access the console of a virtual or physical computing resource. The extended impact of that access will depend on the state of the device and the installed operating system.

Software Versions and Fixes

When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Managed Cisco Unified Computing System - System Software

Affected First Fixed Recommended
LDAP Authentication Bypass
CVE-2013-1182
Prior to 1.0(2h)
Prior to 1.1(1j)
1.3(x)
1.0(2h)
1.1(1j)
1.4(1i)
2.1.1e
IPMI Buffer Overflow
CVE-2013-1183
1.0(x)
Prior to 1.1(1j)
Prior to 1.2(1b)
1.1(1j)
1.2(1b)
2.1.1e
API Denial of Service
CVE-2013-1184
1.0(x)
1.1(x)
Prior to 1.2(1b)
1.2(1b)
2.1.1e
Information Disclosure
CVE-2013-1185
1.0(x)
1.1(x)
1.2(x)
1.3(x)
1.4(x)
2.0(1x) and Prior
2.0(2m)
2.1(1a)
2.1.1e
KVM Authentication Bypass
CVE-2013-1186
1.0(x)
1.1(x)
1.2(x)
1.3(x)
1.4(x)
2.0(1x) and Prior
2.0(2m)
2.1.1e

Standalone Cisco Unified Computing System - Server Software

Affected First Fixed Recommended
KVM Authentication Bypass - Generation 2 and later UCS Servers
CVE-2013-1186
1.0(x)
1.1(x)
1.2(x)
1.3(x)
1.4(3s) and prior
1.4(4)
1.5(1f)
KVM Authentication Bypass - Generation 1 UCS Servers (C200/C210/C250)
CVE-2013-1186
1.0(x)
1.1(x)
1.2(x)
1.3(x)
1.4(3s) and prior
1.4(3t) 1.4(3t)

Note: Fixed software for Cisco C-Series C200 M1/M2, C210 M1/M2, and C250 M1/M2 servers is now available.

Workarounds

No on device workarounds are available to mitigate these vulnerabilities.

Cisco has released an Applied Mitigation Bulletin (AMB) that explains how to detect and mitigate potential exploitation of these vulnerabilities. The AMB, Identifying and Mitigating Multiple Vulnerabilities in Cisco Unified Computing System, is available at: http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=28729

Obtaining Fixed Software

Cisco has released free software updates that address the vulnerabilities described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments.

Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html.

Customers with Service Contracts

Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Navigator on Cisco.com at http://www.cisco.com/cisco/software/navigator.html.

Customers using Third Party Support Organizations

Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action.

The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed.

Customers without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
  • +1 800 553 2447 (toll free from within North America)
  • +1 408 526 7209 (toll call from anywhere in the world)
  • e-mail: tac@cisco.com
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC.

Refer to Cisco Worldwide Contacts at http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.

These vulnerabilities were identified during an internal security audit of the Cisco UCS Fabric Interconnect and related devices.

Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Distribution

This advisory is posted on Cisco Security at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130424-ucsmulti

Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses:
  • cust-security-announce@cisco.com
  • first-bulletins@lists.first.org
  • bugtraq@securityfocus.com
  • vulnwatch@vulnwatch.org
  • cisco@spot.colorado.edu
  • cisco-nsp@puck.nether.net
  • full-disclosure@lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates.

Revision History

Revision 1.2 2013-June-06 Updated software availability status for first generation (C200/C2210/C250) UCS Stand Alone servers.
Revision 1.1 2013-April-30 Updated software availability status of EOL devices in Fixed Software section.
Revision 1.0 2013-April-24 Initial public release.

Cisco Security Procedures

Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt.