View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

More Critical Cisco Bugs Patched — With a Little “Forever Day” Left Over

"A web service reachable from our authentication bypass has a by-design feature allowing an authenticated attacker to execute arbitrary code as root"

By claudia glover

He’s at it again: Aussie security researcher Steven Seeley has exposed nine more security vulnerabilities in Cisco equipment, including a “critical” RCE bug in the API of Cisco’s UCS Director tool — the company’s “high secure [sic], end-to-end management, orchestration and automation solution” for data centres.

As Cisco puts it: “A vulnerability in the REST API of Cisco UCS Director and UCS Director Express for Big Data [a Hadoop deployment tool] could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device.”

The critical Cisco bugs, patched Friday (administrators should update post haste) include a vulnerability with a CVSS score of 9.8 that — by chaining together a series of authentication errors — leaks an administrator’s REST API key, allowing an attacker to create sessions with high privileges.

Critical Cisco Bugs: What’s Affected?

That is not a trivial issue: UCS Director works as a one-stop-shop orchestration engine for data centre infrastructure — both from Cisco and thousands of third-party vendors. It can handle tasks like server software installation, hep rollout infrastructure from bare metal servers to virtualised resources; support  disaster-recovery failover; and server decommissioning.

(With UCS director it is possible to “create, clone and deploy service profiles and templates for all Cisco UCS servers and compute applications.” says Cisco. i.e. Once in, an attacker has full control of a hub that, in theory, gives unbridled access to any plugged in corner of a target’s data centre).

It gets worse, Seeley said in a blog: “After grinding out 8 different post auth code exec bugs, I found out that a different web service (reachable from our authentication bypass) has a by design feature which is a built-in Cloupia [Ed: a Cisco subsidiary] script interpreter allowing an authenticated attacker to execute arbitrary code as root. At that point, I didn’t bother auditing any further and as it turns out, that’s a forever day since Cisco declined to patch it.”

Read This! Heavy Patching in the WFH Era: It’s VPN + Home Broadband Fun Time

Seeley, a winner of Pwn2Own ICS 2020, and head of web application security firm Source Incite, has history with Cisco: in January, Computer Business Review reported on his finding of a massive 120+ vulnerabilities in a single Cisco product, its Data Center Network Manager (DCNM).

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

He documents the most recent chain of vulnerabilities in technical detail on his blog here, and also provides exploit scripts.

These let hackers remotely bypass authentication and waltz into enterprises’ data centre systems, “owing to rudimental security errors including hard coded credentials”, a finding that left Cisco critics furious at the lack of attention being given to product security.

Read this: Critics Hit Out at Cisco After Security Researcher Finds 120+ Vulnerabilities in a Single Product

Seeley said the vulnerability was based around four flaws:

  1. RESTUrlRewrite RequestDispatcher.forward Filter Bypass
  2. RestAPI isEnableRestKeyAccessCheckForUser Flawed Logic
  3. RestAPI$MyCallable call Arbitrary Directory Creation
  4. RestAPI downloadFile Directory Traversal Information Disclosure

He noted: “The ability to untar an untrusted file can break several assumptions made by developers and it’s up to creative attackers to fully expose the impact of such a situation”, adding of the feature that lets an authenticated user execute script as root, “I still believe that applications should not allow by design remote code execution features but of course, if it’s protected by authentication then you really want to make sure you don’t have an authentication bypass vulnerability lurking in the code…”

He added to Computer Business Review of the root user feature, which remains unpatched: “They didn’t expect someone to bypass the authentication. Which confuses me, why bother patching the other bugs then?”

The CVEs are CVE-2020-3239; CVE-2020-3240; CVE-2020-3243; CVE-2020-3247; CVE-2020-3248; CVE-2020-3249; CVE-2020-3250; CVE-2020-3251; CVE-2020-3252.

Fixed releases are now available here.

See also: Black Swans, Barking Dogs, and Changing Future Technology Thinking

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.