exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Cisco UCSM 2.2 Username / Password Disclosure

Cisco UCSM 2.2 Username / Password Disclosure
Posted Mar 24, 2015
Authored by Tom Sellers

Cisco Unified Computing System Manager (UCSM) versions 1.3 through 2.2 sends local (UCSM) username and password hashes to the configured SYSLOG server every 12 hours.

tags | exploit, local, info disclosure
systems | cisco
advisories | CVE-2014-8009
SHA-256 | f0ceac9c00ce462e0e72897f30e93bddf1642b81c987ab4e5c396f7423783888

Cisco UCSM 2.2 Username / Password Disclosure

Change Mirror Download
Subject:  Cisco UCSM username and password hashes sent via SYSLOG

Impact: Information Disclosure / Privilege Elevation

Vendor: Cisco
Product: Cisco Unified Computing System Manager (UCSM)
Notified: 2014.10.31
Fixed: 2015.03.06 ( 2.2(3e) )

Author: Tom Sellers ( tom at fadedcode.net )
Date: 2015.03.21


Description:
============

Cisco Unified Computing System Manager (UCSM) versions 1.3 through 2.2 sends local (UCSM) username and password hashes to the configured SYSLOG server every 12 hours. If the

Fabric Interconnects are in a cluster then each member will transmit the data.


SYSLOG Example ( portions of password hash replaced with <!snip!> ):


Oct 28 23:31:37 xxx.Xxx.xxx.242 : 2014 Oct 28 23:49:15 CDT: %USER-6-SYSTEM_MSG: checking user:User1,$1$e<!snip!>E.,-1.000000,16372.000000 - securityd
Oct 28 23:31:37 xxx.Xxx.xxx.242 : 2014 Oct 28 23:49:15 CDT: %USER-6-SYSTEM_MSG: checking user:admin,$1$J<!snip!>71,-1.000000,16372.000000 - securityd
Oct 28 23:31:37 xxx.Xxx.xxx.242 : 2014 Oct 28 23:49:15 CDT: %USER-6-SYSTEM_MSG: checking user:samdme,!,-1.000000,16372.000000 - securityd


Vulnerable environment(s):
==========================

Cisco Unified Computing System Manager (UCSM) is a Cisco product that manages all aspects of the Unified Computing System (UCS) environment including Fabric Interconnects, B-

Series blades servers and the related blade chassis. C-Series (non-blade) servers can also be managed. These solutions are deployed in high performance / high density

compute solutions and allow for policy based and rapid deployment of resources. They are are typically found in Data Center class environments with 10/40 GB network and 8/16

GB Fibre Channel connectivity.


Software Versions: 1.3 - 2.2(1b)A

Hardware: Cisco 6120 XP, 6296 UP


SYSLOG Configuration:

- Level: Information
- Facility: Local7

- Faults: Enabled
- Audits: Enabled
- Events: Disabled


Risks:
======
1. Individuals who have access to the SYSLOG logs may not be authorized to have access to the UCSM environment and this information represents an exposure.

2. Authorized users with the 'Operations' roles can configure SYSLOG settings, capture hashes, crack them, and elevate access to Administrator within the UCSM.

3. SYSLOG is transmitted in plain text.


Submitter recommendations to vendor:
====================================
1. Remove the username and password hash data from the SYSLOG output.

2. Allow the configuration of the SYSLOG destination port to enable easier segmentation of SYSLOG data on the log aggregation system.

3. Add support for TLS wrapped SYSLOG output.


Vendor response/resolution:
==========================
After being reported on October 30, 2014 the issue was handed from Cisco PSIRT to internal development where it was treated as a standard bug. Neither the PSIRT nor Cisco

TAC were able to determine the status of the effort other than it was in progress with an undetermined release date. On March 6, 2015 version 2.2(3e) of the UCSM software

bundle was released and the release notes contained the following text:

---
Cisco UCS Manager Release 1.3 through Release 2.2 no longer sends UCS Manager username and password hashes to the configured SYSLOG server every 12 hours.
---

For several weeks a document related to this issue could be found in the Cisco Security Advisories, Responses, and Alerts site [1] but this has since been removed.

Documents detailing similar issues [2] have been released but none reference the Bug/Defect ID I was provided and the affected versions do not match.

The following documents remain available:

Public URL for Defect: https://tools.cisco.com/quickview/bug/CSCur54705
Bug Search (login required): https://tools.cisco.com/bugsearch/bug/CSCur54705
Release notes for 2.2(3e): http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/release/notes/ucs_2_2_rn.html#21634


Associated vendor IDs: PSIRT-1394165707 CSCur54705

Timeline:
============
2014.10.30 Reported to psirt@cisco.com
2014.11.04 Response from PSIRT, assigned PSIRT-1394165707
2014.11.06 Follow up questions from Cisco, response provided same day
2014.11.12 Status request. PSIRT responded that this had been handed to development and assigned defect id CSCur54705.
2014.12.04 As PSIRT doesn't own the bug any longer, opened TAC case requesting status.
2014.12.10 Response from Cisco TAC indicating that perhaps I should upgrade to the latest version at that time
2014.12.12 Discussion with TAC, unable to gather required status update internally, TAC case closed with my permission

2015.02.04 Internal Cisco updates to the public bug document triggered email notification, no visible changes to public information
2015.02.05 Sent status update request to PSIRT, response was that bug was fixed internally, release pending testing, release cycle, etc.
2015.02.11 Follow up from Cisco to ensure that no additional information was required, closure of my request with my permission
2015.02.13 Internal Cisco updates to the public bug document triggered email notification, no visible changes to public information
2015.03.04 Internal Cisco updates to the public bug document triggered email notification, no visible changes to public information
2015.03.06 Update to public bug document, indicates that vulnerability is fixed in 2.2(3e)


Reference:

1 - http://tools.cisco.com/security/center/publicationListing.x
2 - http://tools.cisco.com/security/center/viewAlert.x?alertId=36640 ( CVE-2014-8009 )


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close