Guest

Preview Tool

Cisco Bug: CSCvs35506 - Cisco IMC Supervisor, UCS Director, UCS Director Express Big Data Role RBAC Vulnerability

Last Modified

May 12, 2020

Products (1)

  • Cisco Integrated Management Controller (IMC) Supervisor

Known Affected Releases

2.2(1.1)

Description (partial)

Symptom:
A vulnerability in role-based access control of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow a read-only authenticated, remote attacker to disable user accounts on an affected system.

The vulnerability is due to incorrect allocation of the enable/disable action button under the role-based access control code on an affected system. An attacker could exploit this vulnerability by authenticating as a read-only user and then updating the roles of other users to disable them. A successful exploit could allow the attacker to disable users, including administrative users.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-Ar6BAguz

Conditions:
At the time of publication, this vulnerability affected the following Cisco products:

* IMC Supervisor releases 1.1.0.0 and later, earlier than Release 2.2.1.3
* UCS Director releases 5.4.0.0 and later, earlier than Release 6.7.4.0
* UCS Director Express for Big Data releases 2.0.0.0 and later, earlier than Release 3.7.4.0

At the time of publication, the following Cisco software releases included the fix for this vulnerability:

* IMC Supervisor releases 2.2.1.3 and later
* UCS Director releases 6.7.4.0 and later
* UCS Director Express for Big Data releases 3.7.4.0 and later
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.