Cisco IMC Server - Multiple Vulnerabilities
-
Leonidas Tsaousis - Published: 4 Nov 2020
Cisco IMC Server - Multiple Vulnerabilities
CVE-2020-26062, CVE-2020-26063
Share
Type
- Authorization Bypass, Username Enumeration
Severity
- Medium
Affected products
- Cisco IMC Server 4.0(4h)
Credits
- The issues were discovered by Leonidas Tsaousis (@laripping) and Thomas Large of F-Secure Consulting.
CVE Reference
- CVE-2020-26062, CVE-2020-26063
Timeline
| 20/07/2020 | Issues disclosed to Cisco PSIRT |
| 20/07/2020 | Cisco PSIRT acknowledged receipt of the report |
| 05/08/2020 | Cisco triaged and reproduced the issues |
| 28/09/2020 | Confirmation of remediation plan, agreement of join disclosure date |
| 04/11/2020 | Joint disclosure by Cisco and F-Secure, Advisory released |
Introduction
Several vulnerabilities were discovered by F-Secure Consulting in the Cisco Integrated Management Controller (IMC) web application (CVE-2020-26062, CVE-2020-26063 and CSCvv07284). An example datasheet of the product can be found here.
The vulnerabilities combined can be leveraged to enumerate users and bypass authorisation controls.
Vulnerabilities Discovered
Three security issues were identified affecting the IMC application version 4.0(4h) and potentially other versions. The complete range of products affected can be found on the relevant Cisco Pages:
- Cisco Integrated Management Controller Software Username Enumeration Vulnerability -https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-enum-CyheP3B7
- Cisco Integrated Management Controller API Request Hash Modification -http://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv07284
- Cisco Integrated Management Controller Software Authorization Bypass Vulnerability -https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-auth-zWkppJxL
Username Enumeration: CVE-2020-26062 - CVSSv3.1 Score: 5.3
The Username Enumeration vulnerability was discovered within the log in page of the IMC web interface. In its default configuration, there is no account lockout threshold enforced; offering the opportunity for an adversary to brute-force enumerated accounts.
Integrity Hash Forgery: CCSCvv07284 - CVSSv3.1 Score: 3.1
Once authenticated to the application communications with the server consist of HTTP POST requests sent to a set of XML-based APIs. These API calls use an integrity protection scheme. User supplied parameter values are hashed and the resulting value is placed in the CPSG_VAR HTTP header. The hashing functionality is implemented in client-side JavaScript.
The JavaScript hashing code was re-implemented in the form of an an HTML page. The source code is presented below:
The screenshot below illustrates its use to generate valid requests that will pass integrity checks.
Authorization Bypass: CVE-2020-26063 - CVSSv3.1 Score: 5.4
Authorisation checks were improperly configured and/or found to be missing on 2 of the IMC API endpoints. It is possible to forge a request using the Integrity Hash Forgery (CCSCvv07284) issue that results in the execution of functionality that is not normally available to some users, such as those with “read-only” roles, for example the “ping” and “set SSH server banner” functions.
The application also supports the generation of “Tech Support” archives by administrator users. The archives contain configuration files, detailed runtime logs and full directories from the server’s filesystem. If the filename can be ‘guessed’ it can be downloaded directly e.g. /data/saveTechSupportWithHostname(