Cisco UCS Fabric Interconnects CLI/Web Command Injection Vulnerabilities (CVE-2020-20285/20286)

Critical Vulnerability Information Vulnerability Overview CVE ID: CVE-2020-20286, CVE-2020-20285 Severity: Medium (CVSS Base Score: 6.0) Affected Products: - UCS 6300 Series Fabric Interconnects - UCS 9400 Series Fabric Interconnects - UCS 9500 Series Fabric Interconnects - UCS-X Series Direct Attach Interconnects 10/40G Vulnerability Details Command Injection Vulnerabilities in CLI and Web-Based Management Interfaces: - Authenticated local attackers can exploit these vulnerabilities by performing command injection attacks on affected devices, thereby gaining elevated privileges and control over the underlying operating system. - Attackers can use malicious input within command parameters provided by authenticated users to create or overwrite files on any filesystem, including system files. Impact Scope Affected Products: - UCS 6300 Series Fabric Interconnects - UCS 9400 Series Fabric Interconnects - UCS 9500 Series Fabric Interconnects - UCS-X Series Direct Attach Interconnects 10/40G Products Confirmed Not Affected: - Various Cisco products such as Firepower 1000 Series, Firepower 2100 Series, etc. Solutions and Fixes Software Updates Released: - Cisco has released software updates to address these vulnerabilities. - Users should regularly check the Cisco Security Advisories page for the latest information. Workarounds No Workarounds Available: - Currently, no workarounds are available to mitigate these vulnerabilities. Public Disclosure and Announcements Discovered During Internal Security Testing: - These vulnerabilities were discovered during internal security testing. URL Cisco Security Advisory Revision History Version 1.0: Initial public release, published on April 7, 2020.

Goal Reached Thanks to every supporter — we hit 100%!

Cisco UCS Fabric Interconnects CLI/Web Command Injection Vulnerabilities (CVE-2020-20285/20286)