CVE-2019-1966

Name of the Vulnerable Software and Affected Versions Cisco UCS Fabric Interconnect Software (affected versions not specified) UCS 6200 Series Fabric Interconnects (affected versions not specified) UCS 6300 Series Fabric Interconnects (affected versions not specified) UCS 6400 Series Fabric Interconnects (affected versions not specified)

Description A vulnerability in the local management context of Cisco UCS Fabric Interconnect Software could allow an authenticated, local attacker to gain elevated privileges as the root user on an affected device. The issue is due to extraneous subcommand options present for a specific CLI command within the local-mgmt context. An attacker could exploit this by authenticating to the device, entering the local-mgmt context, and issuing a specific CLI command with user input. A successful exploit could allow the attacker to execute arbitrary operating system commands as root.

Recommendations For Cisco UCS Fabric Interconnect Software, consider restricting access to the local-mgmt context until a fix is available. For UCS 6200 Series Fabric Interconnects, UCS 6300 Series Fabric Interconnects, and UCS 6400 Series Fabric Interconnects, restrict the use of the vulnerable CLI command in the local-mgmt context to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.