The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Attack Requirements
None
AT
The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Exploit Maturity
Proof-of-Concept
E
Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)
Subject: Cisco UCSM username and password hashes sent via SYSLOG
Impact: Information Disclosure / Privilege Elevation
Vendor: Cisco
Product: Cisco Unified Computing System Manager (UCSM)
Notified: 2014.10.31
Fixed: 2015.03.06 ( 2.2(3e) )
Author: Tom Sellers ( tom at fadedcode.net )
Date: 2015.03.21
Description:
============
Cisco Unified Computing System Manager (UCSM) versions 1.3 through 2.2 sends local (UCSM) username and password hashes
to the configured SYSLOG server every 12 hours. If the
Fabric Interconnects are in a cluster then each member will transmit the data.
SYSLOG Example ( portions of password hash replaced with <!snip!> ):
Oct 28 23:31:37 xxx.Xxx.xxx.242 : 2014 Oct 28 23:49:15 CDT: %USER-6-SYSTEM_MSG: checking
user:User1,$1$e<!snip!>E.,-1.000000,16372.000000 - securityd
Oct 28 23:31:37 xxx.Xxx.xxx.242 : 2014 Oct 28 23:49:15 CDT: %USER-6-SYSTEM_MSG: checking
user:admin,$1$J<!snip!>71,-1.000000,16372.000000 - securityd
Oct 28 23:31:37 xxx.Xxx.xxx.242 : 2014 Oct 28 23:49:15 CDT: %USER-6-SYSTEM_MSG: checking
user:samdme,!,-1.000000,16372.000000 - securityd
Vulnerable environment(s):
==========================
Cisco Unified Computing System Manager (UCSM) is a Cisco product that manages all aspects of the Unified Computing System (UCS) environment including Fabric Interconnects, B-
Series blades servers and the related blade chassis. C-Series (non-blade) servers can also be managed. These solutions are deployed in high performance / high density
compute solutions and allow for policy based and rapid deployment of resources. They are are typically found in Data Center class environments with 10/40 GB network and 8/16
GB Fibre Channel connectivity.
Software Versions: 1.3 - 2.2(1b)A
Hardware: Cisco 6120 XP, 6296 UP
SYSLOG Configuration:
- Level: Information
- Facility: Local7
- Faults: Enabled
- Audits: Enabled
- Events: Disabled
Risks:
======
1. Individuals who have access to the SYSLOG logs may not be authorized to have access to the UCSM environment and this information represents an exposure.
2. Authorized users with the 'Operations' roles can configure SYSLOG settings, capture hashes, crack them, and elevate access to Administrator within the UCSM.
3. SYSLOG is transmitted in plain text.
Submitter recommendations to vendor:
====================================
1. Remove the username and password hash data from the SYSLOG output.
2. Allow the configuration of the SYSLOG destination port to enable easier segmentation of SYSLOG data on the log aggregation system.
3. Add support for TLS wrapped SYSLOG output.
Vendor response/resolution:
==========================
After being reported on October 30, 2014 the issue was handed from Cisco PSIRT to internal development where it was treated as a standard bug. Neither the PSIRT nor Cisco
TAC were able to determine the status of the effort other than it was in progress with an undetermined release date. On March 6, 2015 version 2.2(3e) of the UCSM software
bundle was released and the release notes contained the following text:
---
Cisco UCS Manager Release 1.3 through Release 2.2 no longer sends UCS Manager username and password hashes to the configured SYSLOG server every 12 hours.
---
For several weeks a document related to this issue could be found in the Cisco Security Advisories, Responses, and Alerts site [1] but this has since been removed.
Documents detailing similar issues [2] have been released but none reference the Bug/Defect ID I was provided and the affected versions do not match.
The following documents remain available:
Public URL for Defect: https://tools.cisco.com/quickview/bug/CSCur54705
Bug Search (login required): https://tools.cisco.com/bugsearch/bug/CSCur54705
Release notes for 2.2(3e):
http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/release/notes/ucs_2_2_rn.html#21634
Associated vendor IDs: PSIRT-1394165707 CSCur54705
Timeline:
============
2014.10.30 Reported to psirt () cisco com
2014.11.04 Response from PSIRT, assigned PSIRT-1394165707
2014.11.06 Follow up questions from Cisco, response provided same day
2014.11.12 Status request. PSIRT responded that this had been handed to development and assigned defect id CSCur54705.
2014.12.04 As PSIRT doesn't own the bug any longer, opened TAC case requesting status.
2014.12.10 Response from Cisco TAC indicating that perhaps I should upgrade to the latest version at that time
2014.12.12 Discussion with TAC, unable to gather required status update internally, TAC case closed with my permission
2015.02.04 Internal Cisco updates to the public bug document triggered email notification, no visible changes to public information
2015.02.05 Sent status update request to PSIRT, response was that bug was fixed internally, release pending testing, release cycle, etc.
2015.02.11 Follow up from Cisco to ensure that no additional information was required, closure of my request with my permission
2015.02.13 Internal Cisco updates to the public bug document triggered email notification, no visible changes to public information
2015.03.04 Internal Cisco updates to the public bug document triggered email notification, no visible changes to public information
2015.03.06 Update to public bug document, indicates that vulnerability is fixed in 2.2(3e)
Reference:
1 - http://tools.cisco.com/security/center/publicationListing.x
2 - http://tools.cisco.com/security/center/viewAlert.x?alertId=36640 ( CVE-2014-8009 )
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum