Cisco has released patches for two privilege escalation vulnerabilities in its Integrated Management Controller (IMC) that is used for out-of-band management of many of its server products, as well as various appliances. The flaws could allow authenticated attackers to execute commands as root on the underlying operating system, one of them already has proof-of-concept exploit code available publicly.
The two vulnerabilities, tracked as CVE-2024-20295 and CVE-2024-20356, are rated 8.8 and 8.7 in the Common Vulnerability Scoring System (CVSS) which equates to high severity. Both can be exploited over the network if the IMC interfaces are remotely accessible, but the reason why they’re not rated critical is because the attackers need to be authenticated and have some privileges already.
The Cisco IMC is a baseband management controller (BMC), a dedicated processor that’s usually included in servers and runs specialized software that allows the remote monitoring and management of a system’s hardware even when its main operating system is shut down. Because BMCs often have dedicated CPU, memory, network ports and even their own operating system, they’re often described as small computers running inside bigger computers.
“The Cisco IMC enables system management in the data center and across distributed branch-office locations,” the Cisco documentation reads. “It supports multiple management interfaces, including a Web User Interface (Web UI), a Command-Line Interface (CLI), and an XML API that is consistent with the one used by Cisco UCS Manager.”
The IMC is present in a variety of Cisco Unified Computing System (UCS) servers, as well as in specific Cisco appliances based on those servers. The two vulnerabilities are present in different IMC interfaces.
Insufficient input validation
The CVE-2024-20295 flaw is in the IMC CLI and stems from insufficient validation of user-supplied input. An attacker with read-only or higher privileges on an affected device and with access to the IMC CLI can inject commands that will be executed with root privileges.
The vulnerability impacts the Cisco 5000 Series Enterprise Network Compute Systems (ENCS), Catalyst 8300 Series Edge uCPE, UCS C-Series Rack Servers in standalone mode and UCS E-Series Servers in default configurations. Many other products and appliances that are based on UCS C-Series servers are also affected if the IMC CLI was explicitly configured to be accessible — IMC is not exposed by default on these devices.
The Cisco Product Security Incident Response Team (PSIRT) is aware of public proof-of-concept code being available for this vulnerability but has not seen malicious exploitation in the wild.
The second vulnerability, CVE-2024-20356, is located in the web-based management interface of Cisco IMC and can be exploited by attackers that have administrator-level privileges through specially crafted commands.
The flaw impacts Cisco 5000 Series Enterprise Network Compute Systems (ENCS), Catalyst 8300 Series Edge uCPE, UCS C-Series M5, M6, and M7 Rack Servers in standalone mode, UCS E-Series Servers and UCS S-Series Storage Servers in standalone mode. Similarly to the previous vulnerability, appliances based on UCS C-Series servers are also impacted if their default configurations were changed in order to expose the IMC user interface.
Most server manufacturers have their own BMC implementations and these controllers and their software have a history of serious vulnerabilities. Sophisticated attackers, including APT groups, have even created malware implants targeting these interfaces.
Bypassing SNMP restrictions in IOS and IOS XE
Cisco also patched a medium-risk vulnerability, CVE-2024-20373, in its IOS and IOS XE Software which is used on many of its enterprise switches and routers. The flaw allows unauthenticated attackers to bypass the Access Control List (ACL) feature for simple network management protocol (SNMP) in certain cases. SNMP is a protocol that allows devices to expose information about their configurations and to make modifications to those settings over the network.
“This vulnerability exists because Cisco IOS software and Cisco IOS XE software do not support extended IPv4 ACLs for SNMP, but they do allow administrators to configure extended named IPv4 ACLs that are attached to the SNMP server configuration without a warning message,” Cisco explains in its advisory. “This can result in no ACL being applied to the SNMP listening process.”