cisco-sa-20200226-fxos-ucs-cli-cmdinj: Cisco FXOS and UCS Manager Software Local Management CLI Command Injection Vulnerability
First published: Wed Feb 26 2020(Updated: )
A vulnerability in the local management (local-mgmt) CLI of Cisco FXOS Software and Cisco UCS Manager Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) of an affected device. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by including crafted arguments to specific commands. A successful exploit could allow the attacker to execute arbitrary commands on the underlying OS with the privileges of the currently logged-in user for all affected platforms excluding Cisco UCS 6400 Series Fabric Interconnects. On Cisco UCS 6400 Series Fabric Interconnects, the injected commands are executed with root privileges. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200226-fxos-ucs-cli-cmdinj
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco ASA Software | =9.10<9.10.1.10>=9.8<=9.9<9.9.2.47 | 9.10.1.10 9.9.2.47 |
| Cisco FTD Software | >=6.2.2<=6.2.3<6.2.3.12 | 6.2.3.12 |
| Cisco FX-OS | =2.4<2.4.1.234=2.3<2.3.1.144>=Earlier than 2.2<=2.2<2.2.2.91 | 2.4.1.234 2.3.1.144 2.2.2.91 |
| Cisco Unified Computing System (UCS) | =4.0<4.0(4g)>=Earlier than 3.2<=3.2<3.2(3n) | 4.0(4g) 3.2(3n) |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this Cisco FXOS and UCS Manager Software vulnerability?
The vulnerability ID for this Cisco FXOS and UCS Manager Software vulnerability is cisco-sa-20200226-fxos-ucs-cli-cmdinj.
What is the severity of the Cisco FXOS and UCS Manager Software vulnerability?
The severity of the Cisco FXOS and UCS Manager Software vulnerability is high with a CVSS score of 7.8.
How can an attacker exploit the Cisco FXOS and UCS Manager Software vulnerability?
An attacker can exploit the Cisco FXOS and UCS Manager Software vulnerability by executing arbitrary commands on the underlying operating system of an affected device through the local management CLI.
What versions of Cisco FXOS Software are affected by this vulnerability?
Versions 2.4, 2.3, and earlier than 2.2 of Cisco FXOS Software are affected by this vulnerability.
Is there a remedy available for this Cisco FXOS and UCS Manager Software vulnerability?
Yes, Cisco has provided remedies for this vulnerability. Please refer to the Cisco Security Advisory for the specific versions and steps to mitigate the vulnerability.
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/type
- agent/severity
- agent/title
- agent/weakness
- agent/references
- agent/description
- agent/event
- agent/source
- agent/tags
- collector/cisco-advisory
- source/Cisco
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/cisco
- canonical/cisco asa software
- version/cisco asa software/9.10
- version/cisco asa software/9.8
- version/cisco asa software/9.9
- canonical/cisco ftd software
- version/cisco ftd software/6.2.2
- version/cisco ftd software/6.2.3
- canonical/cisco fx-os
- version/cisco fx-os/2.4
- version/cisco fx-os/2.3
- version/cisco fx-os/earlier than 2.2
- version/cisco fx-os/2.2
- canonical/cisco unified computing system (ucs)
- version/cisco unified computing system (ucs)/4.0
- version/cisco unified computing system (ucs)/earlier than 3.2
- version/cisco unified computing system (ucs)/3.2