FKIE_CVE-2019-1935

Vulnerability from fkie_nvd - Published: 2019-08-21 19:15 - Updated: 2024-11-21 04:37
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability in Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to log in to the CLI of an affected system by using the SCP User account (scpuser), which has default user credentials. The vulnerability is due to the presence of a documented default account with an undocumented default password and incorrect permission settings for that account. Changing the default password for this account is not enforced during the installation of the product. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the scpuser account. This includes full read and write access to the system's database.
References
psirt@cisco.comhttp://packetstormsecurity.com/files/154239/Cisco-UCS-IMC-Supervisor-Authentication-Bypass-Command-Injection.htmlExploit, Third Party Advisory, VDB Entry
psirt@cisco.comhttp://packetstormsecurity.com/files/154305/Cisco-UCS-Director-Default-scpuser-Password.htmlThird Party Advisory, VDB Entry
psirt@cisco.comhttp://seclists.org/fulldisclosure/2019/Aug/36Mailing List, Third Party Advisory
psirt@cisco.comhttps://seclists.org/bugtraq/2019/Aug/49Exploit, Mailing List, Third Party Advisory
psirt@cisco.comhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-usercredVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://packetstormsecurity.com/files/154239/Cisco-UCS-IMC-Supervisor-Authentication-Bypass-Command-Injection.htmlExploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108http://packetstormsecurity.com/files/154305/Cisco-UCS-Director-Default-scpuser-Password.htmlThird Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108http://seclists.org/fulldisclosure/2019/Aug/36Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://seclists.org/bugtraq/2019/Aug/49Exploit, Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-usercredVendor Advisory
Impacted products
Vendor Product Version
cisco integrated_management_controller_supervisor *
cisco integrated_management_controller_supervisor 2.1.0.0
cisco ucs_director 6.0.0.0
cisco ucs_director 6.5.0.0
cisco ucs_director 6.6.0.0
cisco ucs_director 6.6.1.0
cisco ucs_director 6.7\(0.0.67265\)
cisco ucs_director 6.7.0.0
cisco ucs_director 6.7.1.0
cisco ucs_director_express_for_big_data 3.0.0.0
cisco ucs_director_express_for_big_data 3.5.0.0
cisco ucs_director_express_for_big_data 3.6.0.0
cisco ucs_director_express_for_big_data 3.7.0.0
cisco ucs_director_express_for_big_data 3.7.1.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:cisco:integrated_management_controller_supervisor:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B97B4B36-28E2-4550-B766-BA10DE00A33D",
              "versionEndIncluding": "2.2.0.6",
              "versionStartIncluding": "2.2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:integrated_management_controller_supervisor:2.1.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "512DAB16-F482-424A-AC39-69977B775AA4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:cisco:ucs_director:6.0.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F5F6460C-AD67-4B0A-A900-798E7A2A92C3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:ucs_director:6.5.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1DB174AA-261E-4252-AF4E-463EB72309D2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:ucs_director:6.6.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F95E9D60-7976-4CFB-B36B-0BC6675FA383",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:ucs_director:6.6.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4E99B2DD-0E27-42FE-AE41-BE9FE8E78D4F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:ucs_director:6.7\\(0.0.67265\\):*:*:*:*:*:*:*",
              "matchCriteriaId": "DDB592A9-56F6-422A-9698-09AFB96BE298",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:ucs_director:6.7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "53FB8D53-BF77-443F-947A-79A6268CCC5B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:ucs_director:6.7.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "D16313A1-5D0B-4C91-B476-A9352A11AEE4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:cisco:ucs_director_express_for_big_data:3.0.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "93BE2DF4-CD88-407C-BDF6-ADD6001E3822",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:ucs_director_express_for_big_data:3.5.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8D361A6E-1F55-4CB0-97A3-A96042E7AFB8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:ucs_director_express_for_big_data:3.6.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "451ABC79-936F-469E-B1D8-ADB3EDCA52F3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:ucs_director_express_for_big_data:3.7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0D842353-38D3-4F67-BAAC-EFEBDA7511D6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:ucs_director_express_for_big_data:3.7.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C4B9E1E3-F91D-4EB6-B7FA-8BC72DC38006",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability in Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to log in to the CLI of an affected system by using the SCP User account (scpuser), which has default user credentials. The vulnerability is due to the presence of a documented default account with an undocumented default password and incorrect permission settings for that account. Changing the default password for this account is not enforced during the installation of the product. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the scpuser account. This includes full read and write access to the system\u0027s database."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad en Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, y Cisco UCS Director Express for Big Data podr\u00eda permitir que un atacante remoto no autenticado inicie sesi\u00f3n en la CLI de un sistema afectado utilizando la cuenta de usuario SCP (scpuser) , que tiene credenciales de usuario predeterminadas. La vulnerabilidad se debe a la presencia de una cuenta predeterminada documentada con una contrase\u00f1a predeterminada no documentada y una configuraci\u00f3n de permisos incorrecta para esa cuenta. El cambio de la contrase\u00f1a predeterminada para esta cuenta no se aplica durante la instalaci\u00f3n del producto. Un atacante podr\u00eda aprovechar esta vulnerabilidad utilizando la cuenta para iniciar sesi\u00f3n en un sistema afectado. Una explotaci\u00f3n exitosa podr\u00eda permitir al atacante ejecutar comandos arbitrarios con los privilegios de la cuenta scpuser. Esto incluye acceso completo de lectura y escritura a la base de datos del sistema."
    }
  ],
  "id": "CVE-2019-1935",
  "lastModified": "2024-11-21T04:37:43.173",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 10.0,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "psirt@cisco.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-08-21T19:15:15.277",
  "references": [
    {
      "source": "psirt@cisco.com",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/154239/Cisco-UCS-IMC-Supervisor-Authentication-Bypass-Command-Injection.html"
    },
    {
      "source": "psirt@cisco.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/154305/Cisco-UCS-Director-Default-scpuser-Password.html"
    },
    {
      "source": "psirt@cisco.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2019/Aug/36"
    },
    {
      "source": "psirt@cisco.com",
      "tags": [
        "Exploit",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/Aug/49"
    },
    {
      "source": "psirt@cisco.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-usercred"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/154239/Cisco-UCS-IMC-Supervisor-Authentication-Bypass-Command-Injection.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/154305/Cisco-UCS-Director-Default-scpuser-Password.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2019/Aug/36"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/Aug/49"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-usercred"
    }
  ],
  "sourceIdentifier": "psirt@cisco.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "psirt@cisco.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.