“A web service reachable from our authentication bypass has a by-design feature allowing an authenticated attacker to execute arbitrary code as root”
He’s at it again: Aussie security researcher Steven Seeley has exposed nine more security vulnerabilities in Cisco equipment, including a “critical” RCE bug in the API of Cisco’s UCS Director tool — the company’s “high secure [sic], end-to-end management, orchestration and automation solution” for data centres.
As Cisco puts it: “A vulnerability in the REST API of Cisco UCS Director and UCS Director Express for Big Data [a Hadoop deployment tool] could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device.”
The critical Cisco bugs, patched Friday (administrators should update post haste) include a vulnerability with a CVSS score of 9.8 that — by chaining together a series of authentication errors — leaks an administrator’s REST API key, allowing an attacker to create sessions with high privileges.
Critical Cisco Bugs: What’s Affected?
That is not a trivial issue: UCS Director works as a one-stop-shop orchestration engine for data centre infrastructure — both from Cisco and thousands of third-party vendors. It can handle tasks like server software installation, hep rollout infrastructure from bare metal servers to virtualised resources; support disaster-recovery failover; and server decommissioning.
(With UCS director it is possible to “create, clone and deploy service profiles and templates for all Cisco UCS servers and compute applications.” says Cisco. i.e. Once in, an attacker has full control of a hub that, in theory, gives unbridled access to any plugged in corner of a target’s data centre).
It gets worse, Seeley said in a blog: “After grinding out 8 different post auth code exec bugs, I found out that a different web service (reachable from our authentication bypass) has a by design feature which is a built-in Cloupia [Ed: a Cisco subsidiary] script interpreter allowing an authenticated attacker to execute arbitrary code as root. At that point, I didn’t bother auditing any further and as it turns out, that’s a forever day since Cisco declined to patch it.”
Seeley, a winner of Pwn2Own ICS 2020, and head of web application security firm Source Incite, has history with Cisco: in January, Computer Business Review reported on his finding of a massive 120+ vulnerabilities in a single Cisco product, its Data Center Network Manager (DCNM).
These let hackers remotely bypass authentication and waltz into enterprises’ data centre systems, “owing to rudimental security errors including hard coded credentials”, a finding that left Cisco critics furious at the lack of attention being given to product security.
Read this: Critics Hit Out at Cisco After Security Researcher Finds 120+ Vulnerabilities in a Single Product
Seeley said the vulnerability was based around four flaws:
- RESTUrlRewrite RequestDispatcher.forward Filter Bypass
- RestAPI isEnableRestKeyAccessCheckForUser Flawed Logic
- RestAPI$MyCallable call Arbitrary Directory Creation
- RestAPI downloadFile Directory Traversal Information Disclosure
He noted: “The ability to untar an untrusted file can break several assumptions made by developers and it’s up to creative attackers to fully expose the impact of such a situation”, adding of the feature that lets an authenticated user execute script as root, “I still believe that applications should not allow by design remote code execution features but of course, if it’s protected by authentication then you really want to make sure you don’t have an authentication bypass vulnerability lurking in the code…”
He added to Computer Business Review of the root user feature, which remains unpatched: “They didn’t expect someone to bypass the authentication. Which confuses me, why bother patching the other bugs then?”
The CVEs are CVE-2020-3239; CVE-2020-3240; CVE-2020-3243; CVE-2020-3247; CVE-2020-3248; CVE-2020-3249; CVE-2020-3250; CVE-2020-3251; CVE-2020-3252.
Fixed releases are now available here.