Subject: Cisco UCSM username and password hashes sent via SYSLOG Impact: Information Disclosure / Privilege Elevation Vendor: Cisco Product: Cisco Unified Computing System Manager (UCSM) Notified: 2014.10.31 Fixed: 2015.03.06 ( 2.2(3e) ) Author: Tom Sellers ( tom at fadedcode.net ) Date: 2015.03.21 Description: ============ Cisco Unified Computing System Manager (UCSM) versions 1.3 through 2.2 sends local (UCSM) username and password hashes to the configured SYSLOG server every 12 hours. If the Fabric Interconnects are in a cluster then each member will transmit the data. SYSLOG Example ( portions of password hash replaced with ): Oct 28 23:31:37 xxx.Xxx.xxx.242 : 2014 Oct 28 23:49:15 CDT: %USER-6-SYSTEM_MSG: checking user:User1,$1$eE.,-1.000000,16372.000000 - securityd Oct 28 23:31:37 xxx.Xxx.xxx.242 : 2014 Oct 28 23:49:15 CDT: %USER-6-SYSTEM_MSG: checking user:admin,$1$J71,-1.000000,16372.000000 - securityd Oct 28 23:31:37 xxx.Xxx.xxx.242 : 2014 Oct 28 23:49:15 CDT: %USER-6-SYSTEM_MSG: checking user:samdme,!,-1.000000,16372.000000 - securityd Vulnerable environment(s): ========================== Cisco Unified Computing System Manager (UCSM) is a Cisco product that manages all aspects of the Unified Computing System (UCS) environment including Fabric Interconnects, B- Series blades servers and the related blade chassis. C-Series (non-blade) servers can also be managed. These solutions are deployed in high performance / high density compute solutions and allow for policy based and rapid deployment of resources. They are are typically found in Data Center class environments with 10/40 GB network and 8/16 GB Fibre Channel connectivity. Software Versions: 1.3 - 2.2(1b)A Hardware: Cisco 6120 XP, 6296 UP SYSLOG Configuration: - Level: Information - Facility: Local7 - Faults: Enabled - Audits: Enabled - Events: Disabled Risks: ====== 1. Individuals who have access to the SYSLOG logs may not be authorized to have access to the UCSM environment and this information represents an exposure. 2. Authorized users with the 'Operations' roles can configure SYSLOG settings, capture hashes, crack them, and elevate access to Administrator within the UCSM. 3. SYSLOG is transmitted in plain text. Submitter recommendations to vendor: ==================================== 1. Remove the username and password hash data from the SYSLOG output. 2. Allow the configuration of the SYSLOG destination port to enable easier segmentation of SYSLOG data on the log aggregation system. 3. Add support for TLS wrapped SYSLOG output. Vendor response/resolution: ========================== After being reported on October 30, 2014 the issue was handed from Cisco PSIRT to internal development where it was treated as a standard bug. Neither the PSIRT nor Cisco TAC were able to determine the status of the effort other than it was in progress with an undetermined release date. On March 6, 2015 version 2.2(3e) of the UCSM software bundle was released and the release notes contained the following text:
Source: Gmail -> IFTTT-> Blogger
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment