CVE-2020-3248
📋 TL;DR
Multiple vulnerabilities in Cisco UCS Director and UCS Director Express for Big Data REST API allow remote attackers to bypass authentication or conduct directory traversal attacks. This affects organizations using these products for data center management. Attackers could gain unauthorized access to sensitive systems.
💻 Affected Systems
- Cisco UCS Director
- Cisco UCS Director Express for Big Data
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, access sensitive data, and pivot to other network resources.
Likely Case
Unauthorized access to management interfaces leading to data exposure, configuration changes, and potential lateral movement.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to vulnerable interfaces.
🎯 Exploit Status
Multiple proof-of-concept exploits available. Authentication bypass and directory traversal are relatively simple to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.7.4.0 or later
Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4E
Restart Required: Yes
Instructions:
1. Download patch from Cisco Software Center. 2. Backup current configuration. 3. Apply patch following Cisco upgrade guide. 4. Restart services or appliance as required.
🔧 Temporary Workarounds
Restrict Network Access
allLimit access to UCS Director REST API to trusted IP addresses only
Configure firewall rules to restrict TCP/443 access to UCS Director management IP
Disable Unused Features
linuxDisable REST API if not required for operations
Consult Cisco documentation for disabling specific REST API endpoints
🧯 If You Can't Patch
- Implement strict network segmentation to isolate UCS Director from untrusted networks
- Enable detailed logging and monitoring for authentication attempts and file access patterns
🔍 How to Verify
Check if Vulnerable:
Check UCS Director version via web interface (Admin > System > About) or CLI command 'show version'Check Version:
show version | include VersionVerify Fix Applied:
Verify version is 6.7.4.0 or later and test authentication requirements for REST API endpoints📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful access
- Unusual file access patterns in REST API logs
- Access to sensitive directories via HTTP requests
Network Indicators:
- Unusual traffic to UCS Director REST API endpoints from unexpected sources
- Directory traversal patterns in HTTP requests
SIEM Query:
source="ucs-director" AND (http_uri CONTAINS "../" OR (auth_result="failure" AND auth_result="success" within 5 minutes))🔗 References
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4E
- https://www.zerodayinitiative.com/advisories/ZDI-20-543/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4E
- https://www.zerodayinitiative.com/advisories/ZDI-20-543/
