CVE-2020-3173: Cisco UCS Manager Software Local Management CLI Command Injection Vulnerability
First published: Wed Feb 26 2020(Updated: )
A vulnerability in the local management (local-mgmt) CLI of Cisco UCS Manager Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) on an affected device. The vulnerability is due to insufficient input validation of command arguments. An attacker could exploit this vulnerability by including crafted arguments to specific commands on the local management CLI. A successful exploit could allow the attacker to execute arbitrary commands on the underlying OS with the privileges of the currently logged-in user for all affected platforms excluding Cisco UCS 6400 Series Fabric Interconnects. On Cisco UCS 6400 Series Fabric Interconnects, the injected commands are executed with root privileges.
Credit: ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco UCS Manager | <3.2\(3n\) | |
| Cisco UCS Manager | >=4.0<4.0\(4c\) | |
| Cisco Ucs 6248up | ||
| Cisco Ucs 6296up | ||
| Cisco Ucs 6324 | ||
| Cisco Ucs 6332 | ||
| Cisco Ucs 6332-16up | ||
| Cisco Ucs 64108 | ||
| Cisco Ucs 6454 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-3173?
CVE-2020-3173 is a vulnerability in the local management (local-mgmt) CLI of Cisco UCS Manager Software that allows an authenticated, local attacker to execute arbitrary commands on the underlying operating system.
How does CVE-2020-3173 affect Cisco UCS Manager Software?
CVE-2020-3173 affects Cisco UCS Manager Software versions up to 4.0(4c).
What is the severity rating of CVE-2020-3173?
CVE-2020-3173 has a severity rating of 7.8 (High).
How can an attacker exploit CVE-2020-3173?
An attacker can exploit CVE-2020-3173 by leveraging insufficient input validation of command arguments in the CLI to execute arbitrary commands on the targeted device.
Is there a fix for CVE-2020-3173?
Yes, Cisco has released a security advisory with instructions on how to mitigate the vulnerability. Please refer to the reference link for more information.
- collector/nvd-index
- agent/weakness
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/severity
- agent/title
- agent/author
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/cisco
- canonical/cisco ucs manager
- version/cisco ucs manager/4.0
- canonical/cisco ucs 6248up
- canonical/cisco ucs 6296up
- canonical/cisco ucs 6324
- canonical/cisco ucs 6332
- canonical/cisco ucs 6332-16up
- canonical/cisco ucs 64108
- canonical/cisco ucs 6454