CVE-2020-3250
published 2020-04-15CVE-2020-3250: Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication…
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
60.16%
99.0th percentile
Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_ucs_director | — | — |
| cisco | ucs_director | — | — |
| cisco | ucs_director | — | — |
| cisco | ucs_director | — | — |
| cisco | ucs_director | — | — |
| cisco | ucs_director | — | — |
| cisco | ucs_director | — | — |
| cisco | ucs_director | — | — |
| cisco | ucs_director | — | — |
| cisco | ucs_director | — | — |
| cisco | ucs_director | — | — |
| cisco | ucs_director | — | — |
| cisco | ucs_director | — | — |
| cisco | ucs_director | — | — |
| cisco | ucs_director | — | — |
| cisco | ucs_director | — | — |
| cisco | ucs_director | — | — |
| cisco | ucs_director | — | — |
| cisco | ucs_director | — | — |
| cisco | ucs_director_and_cisco_ucs_director_express_for_big_data | — | — |
| cisco | ucs_director_express_for_big_data | <= 3.7.3.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor REST API endpoints on Cisco UCS Director for unauthenticated or anomalous requests that include directory traversal sequences (e.g., '../') in path parameters, which may indicate exploitation of the authentication bypass or traversal vulnerabilities. ↗
- →Alert on REST API requests that attempt to leak the administrator API key file from an absolute path, particularly requests referencing the LEAK_FILE parameter pattern used by the Metasploit module targeting this CVE. ↗
- →Detect execution of Cloupia scripts via the REST API, especially those submitted by unauthenticated or newly authenticated sessions, as the exploit chain culminates in arbitrary root command execution through the Cloupia script interpreter. ↗
- →Flag Cisco UCS Director instances running versions below 6.7.4.0 as vulnerable; prioritize patching or network-level controls for these versions. ↗
- ·If an administrator API key is already known or separately obtained, the authentication bypass step is unnecessary — the attacker can proceed directly to Cloupia script RCE. Detection strategies must account for abuse of legitimate API keys, not just unauthenticated access. ↗
- ·The vulnerabilities span both Cisco UCS Director and Cisco UCS Director Express for Big Data; detection and patching scope must include both products. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_cisco9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Cisco
Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data
vendor_cisco·2020-04-15·CVSS 9.8
CVE-2020-3239 [CRITICAL] CWE-20 Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data
Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data
Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device.
For more information about these vulnerabilities, see the Details section of this advisory.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4E
Cisco
Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data
vendor_cisco·CVSS 3.0
CVE-2020-3250 Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data
CVE-2020-3250: Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data
Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. For more information about these vulnerabilities, see the
CVSS: 3.0
CWE: CWE-20, CWE-22, CWE-264, CWE-20, CWE-22, CWE-264
Bug IDs: CSCvs53493, CSCvs53496, CSCvs53500, CSCvs53493, CSCvs53496
GHSA
GHSA-xm2g-jw84-7vcv: Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authe
ghsa_unreviewed·2022-05-24
CVE-2020-3250 [HIGH] GHSA-xm2g-jw84-7vcv: Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authe
Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
Suricata
ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php INSERT
suricata·2010-07-30·CVSS 7.5
CVE-2007-3250 [HIGH] ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php INSERT
ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php INSERT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php INSERT"; flow:established,to_server; http.uri; content:"/mod_banners.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; classtype:web-application-attack; sid:2006451; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique
Suricata
ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UNION SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-3250 [HIGH] ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UNION SELECT
ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UNION SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UNION SELECT"; flow:established,to_server; http.uri; content:"/mod_banners.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; classtype:web-application-attack; sid:2006450; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mi
Suricata
ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php DELETE
suricata·2010-07-30·CVSS 7.5
CVE-2007-3250 [HIGH] ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php DELETE
ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php DELETE"; flow:established,to_server; http.uri; content:"/mod_banners.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; classtype:web-application-attack; sid:2006452; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique
Suricata
ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UPDATE
suricata·2010-07-30·CVSS 7.5
CVE-2007-3250 [HIGH] ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UPDATE
ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UPDATE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UPDATE"; flow:established,to_server; http.uri; content:"/mod_banners.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; classtype:web-application-attack; sid:2006454; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_
Suricata
ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php ASCII
suricata·2010-07-30·CVSS 7.5
CVE-2007-3250 [HIGH] ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php ASCII
ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php ASCII"; flow:established,to_server; http.uri; content:"/mod_banners.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; classtype:web-application-attack; sid:2006453; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique
Suricata
ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-3250 [HIGH] ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php SELECT
ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php SELECT"; flow:established,to_server; http.uri; content:"/mod_banners.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; classtype:web-application-attack; sid:2006449; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_
No writeups or analysis indexed.
http://packetstormsecurity.com/files/157955/Cisco-UCS-Director-Cloupia-Script-Remote-Code-Execution.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4Ehttps://www.zerodayinitiative.com/advisories/ZDI-20-538/http://packetstormsecurity.com/files/157955/Cisco-UCS-Director-Cloupia-Script-Remote-Code-Execution.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4Ehttps://www.zerodayinitiative.com/advisories/ZDI-20-538/
2020-04-15
Published