Cisco Security Advisory
Multiple Vulnerabilities in Cisco Unified Computing System
Critical
Advisory ID:
cisco-sa-20130424-ucsmulti
First Published:
2013 April 24 16:00 GMT
Last Updated:
2013 June 6 20:24 GMT
Version 1.2:
Workarounds:
Cisco Bug IDs:
CVSS Score:
Base 10.0,
Temporal 8.3
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
-
Managed and standalone Cisco Unified Computing System (UCS) deployments contain one or more of the vulnerabilities:
- Cisco Unified Computing System LDAP User Authentication Bypass Vulnerability
- Cisco Unified Computing System IPMI Buffer Overflow Vulnerability
- Cisco Unified Computing Management API Denial of Service Vulnerability
- Cisco Unified Computing System Information Disclosure Vulnerability
- Cisco Unified Computing System KVM Authentication Bypass Vulnerability
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130424-ucsmulti
-
Vulnerable Products
The following products are affected by one or more of the vulnerabilities detailed in this advisory:
Cisco Unified Computing System 6100 Series Fabric Interconnect
Cisco Unified Computing System 6200 Series Fabric Interconnect
Cisco Unified Computing System Cisco Integrated Management ControllersProducts Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
The Cisco Unified Computing System Fabric Interconnect is the switching fabric and management component of an integrated Cisco UCS platform. Certain vulnerabilities detailed in this section are related to protocols, and while the service is hosted on the Fabric Interconnect the protocols may interact with other components in the Cisco UCS platform such as the Cisco Integrated Management Controller (Cisco IMC) on a Cisco UCS C-Series or B-Series server.
Cisco Unified Computing System LDAP User Authentication Bypass Vulnerability
Cisco UCS Manager contains an LDAP authentication bypass vulnerability. This vulnerability could allow an unauthenticated, remote attacker who can access the Cisco UCS Manager Web Console to authenticate as a specific user without providing valid authentication credentials. To exploit the vulnerability the attacker would need to submit a malformed request to a Cisco UCS Manager login page designed to leverage this vulnerability.
Only Cisco UCS systems that have been configured for direct LDAP integration are affected and certain LDAP options must be enabled on the LDAP server the Cisco UCS Manager is authenticating against. The vulnerability does not affect other authentication methods such as local, RADIUS, authentication, authorization, and accounting (AAA), or TACACS+.
This vulnerability is documented in Cisco bug ID CSCtc91207 (registered customers only) and has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2013-1182.
Cisco Unified Computing System IPMI Buffer Overflow Vulnerability
Cisco UCS Manager contains a buffer overflow vulnerability in the Intelligent Platform Management Interface (IPMI) implementation that is hosted on the Cisco UCS Fabric Interconnect. An unauthenticated, remote attacker who can submit a properly malformed request to the IPMI service via UDP port 623 could trigger a buffer overflow. This could allow the attacker to execute arbitrary code with elevated privileges.
This vulnerability does not require a TCP three-way handshake to exploit because the service runs over UDP.
This vulnerability is documented in Cisco bug ID CSCtd32371 (registered customers only) and has been assigned the CVE ID CVE-2013-1183.
Cisco Unified Computing Management API Denial of Service Vulnerability
Cisco UCS Manager contains a denial of service vulnerability in the management API. An unauthenticated, remote attacker who can submit a properly malformed request to the XML API management service of the Cisco UCS Manager could cause the service to stop responding. As a result, administrators could not make configuration changes or perform management actions on the Fabric Interconnect and computing resources managed by the device. A restart of the Fabric Interconnect is required to restore functionality.
This vulnerability is documented by Cisco bug ID CSCtg48206 (registered customers only) and has been assigned the CVE ID CVE-2013-1184.
Cisco Unified Computing System Information Disclosure Vulnerability
Cisco UCS Manager contains an information disclosure vulnerability. An unauthenticated, remote attacker could access technical support or local backup files that were created by a device administrator. The attacker would need to access the web interface of the Cisco UCS Manager to exploit this vulnerability.
The files that the attacker could access contain sensitive information that could lead to the complete compromise of an affected Cisco UCS platform. The attacker must know the naming convention used by the administrator as well as the date that the files were created. These files are not automatically created on a device, but occur when an administrator creates a tech support bundle file or performs an on-device configuration backup.
This vulnerability is documented by Cisco bug ID CSCtq86543 (registered customers only) and has been assigned the CVE ID CVE-2013-1185
Cisco Unified Computing System KVM Authentication Bypass Vulnerability
Cisco UCS platforms contain an IP keyboard, video, mouse (KVM) authentication bypass vulnerability. An unauthenticated, remote attacker who can send a malicious KVM authentication request to the Cisco IMC of a managed computing resource could bypass authentication and access to the IP KVM console of the physical or virtual device. This vulnerability could also allow an unauthenticated, remote attacker to join an existing, active IP KVM session if the active owner confirms the request or fails to respond to the request within 60 seconds.
This vulnerability is documented by Cisco bug ID CSCts53746 (registered customers only) and has been assigned the CVE ID CVE-2013-1186.
-
No on device workarounds are available to mitigate these vulnerabilities.
Cisco has released an Applied Mitigation Bulletin (AMB) that explains how to detect and mitigate potential exploitation of these vulnerabilities. The AMB, Identifying and Mitigating Multiple Vulnerabilities in Cisco Unified Computing System, is available at: https://sec.cloudapps.cisco.com/security/center/viewAMBAlert.x?alertId=28729
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Managed Cisco Unified Computing System - System Software
Affected First Fixed Recommended LDAP Authentication Bypass
CVE-2013-1182Prior to 1.0(2h)
Prior to 1.1(1j)
1.3(x)
1.0(2h)
1.1(1j)
1.4(1i)
2.1.1e
IPMI Buffer Overflow
CVE-2013-11831.0(x)
Prior to 1.1(1j)
Prior to 1.2(1b)
1.1(1j)
1.2(1b)
2.1.1e
API Denial of Service
CVE-2013-11841.0(x)
1.1(x)
Prior to 1.2(1b)
1.2(1b)
2.1.1e
Information Disclosure
CVE-2013-11851.0(x)
1.1(x)
1.2(x)
1.3(x)
1.4(x)
2.0(1x) and Prior
2.0(2m)
2.1(1a)
2.1.1e
KVM Authentication Bypass
CVE-2013-11861.0(x)
1.1(x)
1.2(x)
1.3(x)
1.4(x)
2.0(1x) and Prior
2.0(2m)
2.1.1e
Standalone Cisco Unified Computing System - Server Software
Affected First Fixed Recommended KVM Authentication Bypass - Generation 2 and later UCS Servers
CVE-2013-11861.0(x)
1.1(x)
1.2(x)
1.3(x)
1.4(3s) and prior
1.4(4)
1.5(1f)
KVM Authentication Bypass - Generation 1 UCS Servers (C200/C210/C250)
CVE-2013-11861.0(x)
1.1(x)
1.2(x)
1.3(x)
1.4(3s) and prior1.4(3t) 1.4(3t)
Note: Fixed software for Cisco C-Series C200 M1/M2, C210 M1/M2, and C250 M1/M2 servers is now available.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
These vulnerabilities were identified during an internal security audit of the Cisco UCS Fabric Interconnect and related devices.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessRevision 1.2 2013-June-06 Updated software availability status for first generation (C200/C2210/C250) UCS Stand Alone servers. Revision 1.1 2013-April-30 Updated software availability status of EOL devices in Fixed Software section. Revision 1.0 2013-April-24 Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.