Security researcher Pedro Ribeiro, aka “
Last week, Cisco released security fixes to address 17 critical and high-severity vulnerabilities affecting some Cisco Unified Computing products, including Integrated Management Controller (IMC), UCS Director, and UCS Director Express for Big Data.
Most of the flaws affect the Integrated Management Controller (IMC) that is a baseboard management controller that provides embedded server management for Cisco Unified Computing System (UCS) servers.
Some of the flaws addressed by Cisco have been reported by the security researcher Pedro Ribeiro, the expert now announced that he has released the details of three vulnerabilities that can be exploited by attackers to gain complete control over affected systems.
“Due to several coding errors, it is possible for an
The CVE-2019-1935 flaw in Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could be exploited by an unauthenticated, remote attacker to log in to the CLI of an affected system by using the SCP User account (
“The vulnerability is due to the presence of a documented default account with an undocumented default password and incorrect permission settings for that account.” reads the security advisory published by Cisco. “Changing the default password for this account is not enforced during the installation of the product. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the
Ribeiro discovered that the above user can log in via SSH with the default password.
Ribeiro also found the CVE-2019-1936 flaw that could be exploited by an authenticated attacker to execute arbitrary commands on the underlying Linux shell with root permissions. This vulnerability could be exploited only by an authenticated attacker, but the authentication could be obtained by triggering the CVE-2019-1937.
“A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to acquire a valid session token with administrator privileges, bypassing user authentication.” reads the advisory for the CVE-2019-1937 flaw.
“The vulnerability is due to insufficient request header validation during the authentication process. An attacker could exploit this vulnerability by sending a series of malicious requests to an affected device. An exploit could allow the attacker to use the acquired session token to gain full administrator access to the affected device.”
Ribeiro has developed two Metasploit modules, one that exploits the authentication bypass and command injection, and another that exploits the default SSH password.