A vulnerability was found in Cisco UCS Manager (Virtualization Software) (version now known). It has been rated as problematic. This issue affects some unknown processing of the component CLI. The manipulation as part of a Parameter leads to a resource control vulnerability. Using CWE to declare the problem leads to CWE-664. The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release. Impacted is availability. The summary by CVE is:

A vulnerability in the local management (local-mgmt) CLI of Cisco UCS Manager Software could allow an authenticated, local attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper handling of CLI command parameters. An attacker could exploit this vulnerability by executing specific commands on the local-mgmt CLI on an affected device. A successful exploit could allow the attacker to cause internal system processes to fail to terminate properly, which could result in a buildup of stuck processes and lead to slowness in accessing the UCS Manager CLI and web UI. A sustained attack may result in a restart of internal UCS Manager processes and a temporary loss of access to the UCS Manager CLI and web UI.

The weakness was disclosed 08/27/2020 as cisco-sa-ucs-cli-dos-GQUxCnTe as confirmed advisory (Website). The advisory is shared at tools.cisco.com. The identification of this vulnerability is CVE-2020-3504 since 12/12/2019. An attack has to be approached locally. Required for exploitation is a simple authentication. Neither technical details nor an exploit are publicly available.

Upgrading eliminates this vulnerability.

Productinfo

Type

• Virtualization Software

Vendor

• Cisco

Name

• UCS Manager

License

• commercial

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion