Cisco UCS Director and Cisco UCS Director Express for Big Data Multiple Vuulnerabilities (cisco-sa-ucsd-mult-vulns-UNfpdW4E) - Nessus

Critical Plugin ID: 135766

This page contains detailed information about the Cisco UCS Director and Cisco UCS Director Express for Big Data Multiple Vuulnerabilities (cisco-sa-ucsd-mult-vulns-UNfpdW4E) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents

hide

Plugin Overview
Vulnerability Information

Synopsis
Description
Solution

Public Exploits
Risk Information
Plugin Source
How to Run
References
Version

Plugin Overview

ID: 135766
Name: Cisco UCS Director and Cisco UCS Director Express for Big Data Multiple Vuulnerabilities (cisco-sa-ucsd-mult-vulns-UNfpdW4E)
Filename: cisco-sa-ucsd-mult-vulns-UNfpdW4E.nasl
Vulnerability Published: 2020-04-15
This Plugin Published: 2020-04-21
Last Modification Time: 2022-04-26
Plugin Version: 1.5
Plugin Type: combined
Plugin Family: CISCO
Dependencies: cisco_ucs_director_detect.nbin
Required KB Items [?]: Host/Cisco/UCSDirector/version

Vulnerability Information

Severity: Critical
Vulnerability Published: 2020-04-15
Patch Published: 2020-04-15
CVE [?]: CVE-2020-3239, CVE-2020-3240, CVE-2020-3243, CVE-2020-3247, CVE-2020-3248, CVE-2020-3249, CVE-2020-3250, CVE-2020-3251, CVE-2020-3252
CPE [?]: cpe:/a:cisco:ucs_director

Synopsis

The remote host is affected by multiple vulnerabilities.

Description

According to its self-reported version, the remote host is running a version of Cisco UCS Director that is affected by multiple vulnerabilities in the REST API which allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device, including the following:

- An unauthenticated, remote attacker can bypass authentication and execute arbitrary actions with administrative privileges on an affected device due to insufficient access control validation. An attacker can exploit this vulnerability by sending a crafted request to the REST API, allowing the attacker to interact with the REST API with administrative privileges. (CVE-2020-3243)

- An unauthenticated, remote attacker can execute arbitrary code with root privileges on the underlying operating system due to improper input validation. An attacker can exploit this by crafting a malicious file and sending it to the REST API. (CVE-2020-3240)

- An unauthenticated, remote attacker can bypass authentication and execute API calls on an affected device due to insufficient access control validation. An attacker can exploit this by sending a request to the REST API endpoint in order to cause a potential Denial of Service (DoS) condition on the affected device. (CVE-2020-3250)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Apply the patch or upgrade to the version recommended in Cisco advisory.

Public Exploits

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, D2 Elliot)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Cisco UCS Director and Cisco UCS Director Express for Big Data Multiple Vuulnerabilities (cisco-sa-ucsd-mult-vulns-UNfpdW4E) vulnerability:

Metasploit: exploit/linux/http/cisco_ucs_cloupia_script_rce
[Cisco UCS Director Cloupia Script RCE]
D2 Elliot: cisco_ucs_director_directory_traversal.html
[Cisco UCS Director Directory Traversal]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

Risk Information

CVSS Score Source [?]: CVE-2020-3248
CVSS V2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C

CVSS Base Score:	10.0 (High)
Impact Subscore:	10.0
Exploitability Subscore:	10.0
CVSS Temporal Score:	8.3 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	8.3 (High)

CVSS V3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

CVSS Base Score:	9.8 (Critical)
Impact Subscore:	5.9
Exploitability Subscore:	3.9
CVSS Temporal Score:	9.1 (Critical)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	9.1 (Critical)

Go back to menu.

Plugin Source

#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(135766);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/26");

  script_cve_id(
    "CVE-2020-3239",
    "CVE-2020-3240",
    "CVE-2020-3243",
    "CVE-2020-3247",
    "CVE-2020-3248",
    "CVE-2020-3249",
    "CVE-2020-3250",
    "CVE-2020-3251",
    "CVE-2020-3252"
  );
  script_xref(name:"CISCO-BUG-ID", value:"CSCvs53493");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvs53496");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvs53500");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvs53502");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvs56399");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvs56400");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvs56401");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvs69022");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvs69171");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvt39489");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvt39526");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvt39535");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvt39555");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvt39561");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvt39565");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvt39575");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvt39580");

  script_name(english:"Cisco UCS Director and Cisco UCS Director Express for Big Data Multiple Vuulnerabilities (cisco-sa-ucsd-mult-vulns-UNfpdW4E)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the remote host is running a version of Cisco UCS Director that is affected by
multiple vulnerabilities in the REST API which allow a remote attacker to bypass authentication or conduct directory
traversal attacks on an affected device, including the following:

  - An unauthenticated, remote attacker can bypass authentication and execute arbitrary actions with
    administrative privileges on an affected device due to insufficient access control validation. An
    attacker can exploit this vulnerability by sending a crafted request to the REST API, allowing the
    attacker to interact with the REST API with administrative privileges. (CVE-2020-3243)

  - An unauthenticated, remote attacker can execute arbitrary code with root privileges on the underlying
    operating system due to improper input validation. An attacker can exploit this by crafting a malicious
    file and sending it to the REST API. (CVE-2020-3240)

  - An unauthenticated, remote attacker can bypass authentication and execute API calls on an affected device
    due to insufficient access control validation. An attacker can exploit this by sending a request to the
    REST API endpoint in order to cause a potential Denial of Service (DoS) condition on the affected device.
    (CVE-2020-3250)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs53493");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs53496");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs53500");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs53502");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs56399");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs56400");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs56401");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs69022");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs69171");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39489");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39526");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39535");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39555");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39561");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39565");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39575");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39580");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4E
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bbbadbc7");
  script_set_attribute(attribute:"solution", value:
"Apply the patch or upgrade to the version recommended in Cisco advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3248");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"d2_elliot_name", value:"Cisco UCS Director Directory Traversal");
  script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Cisco UCS Director Cloupia Script RCE');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/04/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/21");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:ucs_director");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ucs_director_detect.nbin");
  script_require_keys("Host/Cisco/UCSDirector/version");

  exit(0);
}

include('vcf.inc');

app_info = vcf::get_app_info(app:'Cisco UCS Director', kb_ver:'Host/Cisco/UCSDirector/version');

fix = '6.7.4.0';
constraints = [
  { 'equal' : '6.0.0.0', 'fixed_display': fix},
  { 'equal' : '6.0.0.1', 'fixed_display': fix},
  { 'equal' : '6.0.1.0', 'fixed_display': fix},
  { 'equal' : '6.0.1.1', 'fixed_display': fix},
  { 'equal' : '6.0.1.2', 'fixed_display': fix},
  { 'equal' : '6.0.1.3', 'fixed_display': fix},
  { 'equal' : '6.5.0.0', 'fixed_display': fix},
  { 'equal' : '6.5.0.1', 'fixed_display': fix},
  { 'equal' : '6.5.0.2', 'fixed_display': fix},
  { 'equal' : '6.5.0.3', 'fixed_display': fix},
  { 'equal' : '6.5.0.4', 'fixed_display': fix},
  { 'equal' : '6.6.0.0', 'fixed_display': fix},
  { 'equal' : '6.6.1.0', 'fixed_display': fix},
  { 'equal' : '6.6.2.0', 'fixed_display': fix},
  { 'equal' : '6.7.0.0', 'fixed_display': fix},
  { 'equal' : '6.7.1.0', 'fixed_display': fix},
  { 'equal' : '6.7.2.0', 'fixed_display': fix},
  { 'equal' : '6.7.3.0', 'fixed_display': fix}
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

The latest version of this script can be found in these locations depending on your platform:

Linux / Unix:
/opt/nessus/lib/nessus/plugins/cisco-sa-ucsd-mult-vulns-UNfpdW4E.nasl
Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\cisco-sa-ucsd-mult-vulns-UNfpdW4E.nasl
Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/cisco-sa-ucsd-mult-vulns-UNfpdW4E.nasl

Go back to menu.

How to Run

Here is how to run the Cisco UCS Director and Cisco UCS Director Express for Big Data Multiple Vuulnerabilities (cisco-sa-ucsd-mult-vulns-UNfpdW4E) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

Click to start a New Scan.
Select Advanced Scan.
Navigate to the Plugins tab.
On the top right corner click to Disable All plugins.
On the left side table select CISCO plugin family.
On the right side table select Cisco UCS Director and Cisco UCS Director Express for Big Data Multiple Vuulnerabilities (cisco-sa-ucsd-mult-vulns-UNfpdW4E) plugin ID 135766.
Specify the target on the Settings tab and click to Save the scan.
Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl cisco-sa-ucsd-mult-vulns-UNfpdW4E.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a cisco-sa-ucsd-mult-vulns-UNfpdW4E.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - cisco-sa-ucsd-mult-vulns-UNfpdW4E.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state cisco-sa-ucsd-mult-vulns-UNfpdW4E.nasl -t <IP/HOST>

Go back to menu.

References

Cisco Bug ID:

CSCvs53493, CSCvs53496, CSCvs53500, CSCvs53502, CSCvs56399, CSCvs56400, CSCvs56401, CSCvs69022, CSCvs69171, CSCvt39489, CSCvt39526, CSCvt39535, CSCvt39555, CSCvt39561, CSCvt39565, CSCvt39575, CSCvt39580

See also:

Similar and related Nessus plugins:

129291 - Cisco UCS Director Authentication Bypass (cisco-sa-20190821-imcs-ucs-cmdinj)
130503 - Cisco Prime Infrastructure Multiple Vulnerabilities (cisco-sa-20190515-pi-rce)
131230 - Cisco Wireless LAN Controller HTTP Parsing Engine Denial of Service Vulnerability
131427 - Cisco IOS XE NGWC Legacy Wireless Device Manager GUI CSRF Vulnerability (cisco-sa-20190821-iosxe-ngwc-csrf)
131739 - Cisco Unified Communications Manager SQL Injection Vulnerability
131946 - Cisco UCS Director SCP User Default Credentials (cisco-sa-20190821-imcs-usercred)
132414 - Cisco NX-OS Software CLI Command Injection Vulnerability (Cisco-Sa-20190306-Nxos-Cmdinj-1609)
132721 - Cisco Data Center Network Manager < 11.3(1) Multiple Vulnerabilities
133044 - Cisco FTD Multiple Vulnerabilities (cisco-sa-20180418-asa1 / cisco-sa-20180418-asa2 / cisco-sa-20180418-asa3 / cisco-sa-20180418-asaanyconnect / cisco-sa-20180418-asa_inspect)
133603 - Cisco IOS XR Software Cisco Discovery Protocol Remote Code Execution Vulnerability (cisco-sa-20200205-iosxr-cdp-rce)
133604 - Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability (cisco-sa-20200205-nxos-cdp-rce)
133720 - Cisco FXOS Software Cisco Discovery Protocol Denial of Service Vulnerability (cisco-sa-20200205-fxnxos-iosxr-cdp-dos)
133721 - Cisco IOS XR Software Cisco Discovery Protocol Denial of Service Vulnerability (cisco-sa-20200205-fxnxos-iosxr-cdp-dos)
133722 - Cisco NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability (cisco-sa-20200205-fxnxos-iosxr-cdp-dos)
134234 - Cisco FXOS Software Cisco Discovery Protocol Arbitrary Code Execution and DoS (cisco-sa-20200226-fxos-nxos-cdp)
134235 - Cisco NX-OS Software Cisco Discovery Protocol Arbitrary Code Execution and DoS (cisco-sa-20200226-fxos-nxos-cdp)
134236 - Cisco UCS Software Cisco Discovery Protocol Arbitrary Code Execution and DoS (cisco-sa-20200226-fxos-nxos-cdp)
136891 - Cisco Firepower 1000 Series SSL/TLS Denial of Service Vulnerability (cisco-sa-ftd-tls-dos-4v5nmWtZ)
136914 - Cisco Adaptive Security Appliance Software Web Services Path Traversal (cisco-sa-asaftd-path-JE3azWw43)
136915 - Cisco Firepower Threat Defense Software Web Services Path Traversal (cisco-sa-asaftd-path-JE3azWw43)
137085 - Cisco Firepower Management Center Arbitrary Log File Write Vulnerability (cisco-sa-alfo-tHwFDmTE)
137144 - Cisco IOS Software Simple Network Management Protocol DoS (cisco-sa-snmp-dos-USxSyTk5)
137145 - Cisco IOS XE Software Simple Network Management Protocol DoS (cisco-sa-snmp-dos-USxSyTk5)
137182 - Cisco IOS XE Software Web UI RCE (cisco-sa-iosxe-webui-rce-uk8BXcUD)
137184 - Cisco NX-OS Software Unexpected IP in IP Packet Processing Vulnerability (cisco-sa-nxos-ipip-dos-kCT9X4)
137361 - Cisco IOS XE Software Privilege Escalation (cisco-sa-priv-esc2-A6jVRu7C)
137557 - Cisco Adaptive Security Appliance Software Kerberos Authentication Bypass (cisco-asa-kerberos-bypass-96Gghe2sS)
137629 - Cisco IOS XE Software Denial of Service (cisco-sa-ewlc-dos-AnvKvMxR)
137630 - Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution (cisco-sa-tcl-ace-C9KuVKmm)
137631 - Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution (cisco-sa-tcl-ace-C9KuVKmm)
137654 - Cisco IOS, IOS XE, and NX-OS Software Security Group Tag Exchange Protocol Denial of Service Vulnerability (cisco-sa-sxp-68TEVzR)
137655 - Cisco IOS, IOS XE, and NX-OS Software Security Group Tag Exchange Protocol Denial of Service Vulnerability (cisco-sa-sxp-68TEVzR)
137656 - Cisco IOS, IOS XE, and NX-OS Software Security Group Tag Exchange Protocol Denial of Service Vulnerability (cisco-sa-sxp-68TEVzR)
137659 - Cisco Adaptive Security Appliance Software Web Services Information Disclosure (cisco-sa-asaftd-info-disclose-9eJtycMB)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file cisco-sa-ucsd-mult-vulns-UNfpdW4E.nasl version 1.5. For more plugins, visit the Nessus Plugin Library.

Go back to menu.

Cisco UCS Director and Cisco UCS Director Express for Big Data Multiple Vuulnerabilities (cisco-sa-ucsd-mult-vulns-UNfpdW4E) - Nessus

Plugin Overview

Vulnerability Information

Synopsis

Description

Solution

Public Exploits

Risk Information

Plugin Source

How to Run

References

Version

Nessus Plugin Library

Solving Problems with Office 365 Email from GoDaddy

Empire Module Library

CrackMapExec Module Library

Metasploit Android Modules

Top 16 Active Directory Vulnerabilities

Top 10 Vulnerabilities: Internal Infrastructure Pentest

Terminal Escape Injection

Cisco Password Cracking and Decrypting Guide

Capture Passwords using Wireshark

SSH Brute Force Attack Tool using PuTTY / Plink (ssh-putty-brute.ps1)

SMB Brute Force Attack Tool in PowerShell (SMBLogin.ps1)

Port Scanner in PowerShell (TCP/UDP)

Nessus CSV Parser and Extractor

Default Password Scanner (default-http-login-hunter.sh)