[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Cisco Unified Computing System Manager (UCSM) username and password hashes sent via SYSLOG
From: "tom () fadedcode ! net" <tom () fadedcode ! net>
Date: 2015-03-22 1:03:17
Message-ID: 550E14D5.1050506 () fadedcode ! net
[Download RAW message or body]
Subject: Cisco UCSM username and password hashes sent via SYSLOG
Impact: Information Disclosure / Privilege Elevation
Vendor: Cisco
Product: Cisco Unified Computing System Manager (UCSM)
Notified: 2014.10.31
Fixed: 2015.03.06 ( 2.2(3e) )
Author: Tom Sellers ( tom at fadedcode.net )
Date: 2015.03.21
Description:
============
Cisco Unified Computing System Manager (UCSM) versions 1.3 through 2.2 sends local (UCSM) \
username and password hashes to the configured SYSLOG server every 12 hours. If the
Fabric Interconnects are in a cluster then each member will transmit the data.
SYSLOG Example ( portions of password hash replaced with <!snip!> ):
Oct 28 23:31:37 xxx.Xxx.xxx.242 : 2014 Oct 28 23:49:15 CDT: %USER-6-SYSTEM_MSG: checking \
user:User1,$1$e<!snip!>E.,-1.000000,16372.000000 - securityd
Oct 28 23:31:37 xxx.Xxx.xxx.242 : 2014 Oct 28 23:49:15 CDT: %USER-6-SYSTEM_MSG: checking \
user:admin,$1$J<!snip!>71,-1.000000,16372.000000 - securityd
Oct 28 23:31:37 xxx.Xxx.xxx.242 : 2014 Oct 28 23:49:15 CDT: %USER-6-SYSTEM_MSG: checking \
user:samdme,!,-1.000000,16372.000000 - securityd
Vulnerable environment(s):
==========================
Cisco Unified Computing System Manager (UCSM) is a Cisco product that manages all aspects of \
the Unified Computing System (UCS) environment including Fabric Interconnects, B-
Series blades servers and the related blade chassis. C-Series (non-blade) servers can also be \
managed. These solutions are deployed in high performance / high density
compute solutions and allow for policy based and rapid deployment of resources. They are are \
typically found in Data Center class environments with 10/40 GB network and 8/16
GB Fibre Channel connectivity.
Software Versions: 1.3 - 2.2(1b)A
Hardware: Cisco 6120 XP, 6296 UP
SYSLOG Configuration:
- Level: Information
- Facility: Local7
- Faults: Enabled
- Audits: Enabled
- Events: Disabled
Risks:
======
1. Individuals who have access to the SYSLOG logs may not be authorized to have access to the \
UCSM environment and this information represents an exposure.
2. Authorized users with the 'Operations' roles can configure SYSLOG settings, capture hashes, \
crack them, and elevate access to Administrator within the UCSM.
3. SYSLOG is transmitted in plain text.
Submitter recommendations to vendor:
====================================
1. Remove the username and password hash data from the SYSLOG output.
2. Allow the configuration of the SYSLOG destination port to enable easier segmentation of \
SYSLOG data on the log aggregation system.
3. Add support for TLS wrapped SYSLOG output.
Vendor response/resolution:
==========================
After being reported on October 30, 2014 the issue was handed from Cisco PSIRT to internal \
development where it was treated as a standard bug. Neither the PSIRT nor Cisco
TAC were able to determine the status of the effort other than it was in progress with an \
undetermined release date. On March 6, 2015 version 2.2(3e) of the UCSM software
bundle was released and the release notes contained the following text:
---
Cisco UCS Manager Release 1.3 through Release 2.2 no longer sends UCS Manager username and \
password hashes to the configured SYSLOG server every 12 hours.
---
For several weeks a document related to this issue could be found in the Cisco Security \
Advisories, Responses, and Alerts site [1] but this has since been removed.
Documents detailing similar issues [2] have been released but none reference the Bug/Defect ID \
I was provided and the affected versions do not match.
The following documents remain available:
Public URL for Defect: https://tools.cisco.com/quickview/bug/CSCur54705
Bug Search (login required): https://tools.cisco.com/bugsearch/bug/CSCur54705
Release notes for 2.2(3e): \
http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/release/notes/ucs_2_2_rn.html#21634
Associated vendor IDs: PSIRT-1394165707 CSCur54705
Timeline:
============
2014.10.30 Reported to psirt@cisco.com
2014.11.04 Response from PSIRT, assigned PSIRT-1394165707
2014.11.06 Follow up questions from Cisco, response provided same day
2014.11.12 Status request. PSIRT responded that this had been handed to development and \
assigned defect id CSCur54705. 2014.12.04 As PSIRT doesn't own the bug any longer, opened TAC \
case requesting status. 2014.12.10 Response from Cisco TAC indicating that perhaps I should \
upgrade to the latest version at that time 2014.12.12 Discussion with TAC, unable to gather \
required status update internally, TAC case closed with my permission
2015.02.04 Internal Cisco updates to the public bug document triggered email notification, no \
visible changes to public information 2015.02.05 Sent status update request to PSIRT, response \
was that bug was fixed internally, release pending testing, release cycle, etc. 2015.02.11 \
Follow up from Cisco to ensure that no additional information was required, closure of my \
request with my permission 2015.02.13 Internal Cisco updates to the public bug document \
triggered email notification, no visible changes to public information 2015.03.04 Internal \
Cisco updates to the public bug document triggered email notification, no visible changes to \
public information 2015.03.06 Update to public bug document, indicates that vulnerability is \
fixed in 2.2(3e)
Reference:
1 - http://tools.cisco.com/security/center/publicationListing.x
2 - http://tools.cisco.com/security/center/viewAlert.x?alertId=36640 ( CVE-2014-8009 )
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic