Details of VAR-202102-0579

ID

VAR-202102-0579

CVE

CVE-2021-1354

TITLE

Cisco Unified Computing System Central Certificate validation vulnerabilities in software

Trust: 0.8

sources: JVNDB: JVNDB-2021-003112

DESCRIPTION

A vulnerability in the certificate registration process of Cisco Unified Computing System (UCS) Central Software could allow an authenticated, adjacent attacker to register a rogue Cisco Unified Computing System Manager (UCSM). This vulnerability is due to improper certificate validation. An attacker could exploit this vulnerability by sending a crafted HTTP request to the registration API. A successful exploit could allow the attacker to register a rogue Cisco UCSM and gain access to Cisco UCS Central Software data and Cisco UCSM inventory data. The software supports management of multiple Cisco UCS instances or domains in different locations and environments. Up to 10,000 Cisco UCS servers (blade, rack, and mini) and Cisco HyperFlex systems can be supported using the software

Trust: 1.8

sources: NVD: CVE-2021-1354 // JVNDB: JVNDB-2021-003112 // VULHUB: VHN-374408 // VULMON: CVE-2021-1354

AFFECTED PRODUCTS

vendor:	cisco	model:	unified computing system central software	scope:	lt	version:	2.0\(1m\)	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco unified computing system central ソフトウェア	scope:	eq	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco unified computing system central ソフトウェア	scope:	eq	version:	cisco unified computing system central software	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco unified computing system central ソフトウェア	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-003112 // NVD: CVE-2021-1354

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-1354
value:	LOW
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-1354
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-1354
value:	LOW
Trust: 0.8
CNNVD:	CNNVD-202102-244
value:	LOW
Trust: 0.6
VULHUB:	VHN-374408
value:	LOW
Trust: 0.1
VULMON:	CVE-2021-1354
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2021-1354
severity:	LOW
baseScore:	2.7
vectorString:	AV:A/AC:L/AU:S/C:P/I:N/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	5.1
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-374408
severity:	LOW
baseScore:	2.7
vectorString:	AV:A/AC:L/AU:S/C:P/I:N/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	5.1
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-1354
baseSeverity:	LOW
baseScore:	3.5
vectorString:	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.1
impactScore:	1.4
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-1354
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2021-1354
baseSeverity:	LOW
baseScore:	3.5
vectorString:	CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	ADJACENT NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-374408 // VULMON: CVE-2021-1354 // JVNDB: JVNDB-2021-003112 // CNNVD: CNNVD-202102-244 // NVD: CVE-2021-1354 // NVD: CVE-2021-1354

PROBLEMTYPE DATA

problemtype:	CWE-295	Trust: 1.1
problemtype:	Bad certificate verification (CWE-295) [ Other ]	Trust: 0.8

sources: VULHUB: VHN-374408 // JVNDB: JVNDB-2021-003112 // NVD: CVE-2021-1354

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202102-244

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-202102-244

PATCH

title:	cisco-sa-ucs-invcert-eOpRvCKH	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucs-invcert-eOpRvCKH	Trust: 0.8
title:	Cisco UCS Central Repair measures for trust management problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=141106	Trust: 0.6
title:	Cisco: Cisco Unified Computing System Central Software Improper Certificate Validation Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ucs-invcert-eOpRvCKH	Trust: 0.1

sources: VULMON: CVE-2021-1354 // JVNDB: JVNDB-2021-003112 // CNNVD: CNNVD-202102-244

EXTERNAL IDS

db:	NVD	id:	CVE-2021-1354	Trust: 2.6
db:	JVNDB	id:	JVNDB-2021-003112	Trust: 0.8
db:	CNNVD	id:	CNNVD-202102-244	Trust: 0.6
db:	VULHUB	id:	VHN-374408	Trust: 0.1
db:	VULMON	id:	CVE-2021-1354	Trust: 0.1

sources: VULHUB: VHN-374408 // VULMON: CVE-2021-1354 // JVNDB: JVNDB-2021-003112 // CNNVD: CNNVD-202102-244 // NVD: CVE-2021-1354

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ucs-invcert-eoprvckh	Trust: 1.9
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1354	Trust: 1.4
url:	https://vigilance.fr/vulnerability/cisco-ucs-central-software-privilege-escalation-via-certificate-registration-process-34480	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/295.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-374408 // VULMON: CVE-2021-1354 // JVNDB: JVNDB-2021-003112 // CNNVD: CNNVD-202102-244 // NVD: CVE-2021-1354

SOURCES

db:	VULHUB	id:	VHN-374408
db:	VULMON	id:	CVE-2021-1354
db:	JVNDB	id:	JVNDB-2021-003112
db:	CNNVD	id:	CNNVD-202102-244
db:	NVD	id:	CVE-2021-1354

LAST UPDATE DATE

2024-08-14T14:25:28.025000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-374408	date:	2021-02-08T00:00:00
db:	VULMON	id:	CVE-2021-1354	date:	2021-02-08T00:00:00
db:	JVNDB	id:	JVNDB-2021-003112	date:	2021-10-18T08:04:00
db:	CNNVD	id:	CNNVD-202102-244	date:	2021-02-09T00:00:00
db:	NVD	id:	CVE-2021-1354	date:	2023-11-07T03:28:04.493

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-374408	date:	2021-02-04T00:00:00
db:	VULMON	id:	CVE-2021-1354	date:	2021-02-04T00:00:00
db:	JVNDB	id:	JVNDB-2021-003112	date:	2021-10-18T00:00:00
db:	CNNVD	id:	CNNVD-202102-244	date:	2021-02-03T00:00:00
db:	NVD	id:	CVE-2021-1354	date:	2021-02-04T17:15:18.763