Detections
Analytics

Cisco UCS Central Software Configuration Backup Information Disclosure (cisco-sa-ucsc-bkpsky-TgJ5f73J)

medium Nessus Plugin ID 209303

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

According to its self-reported version, Cisco UCS Central Software Configuration Backup Information Disclosure is affected by a vulnerability.

 - A vulnerability in the backup feature of Cisco UCS Central Software could allow an attacker with access to a backup file to learn sensitive information that is stored in the full state and configuration backup files. This vulnerability is due to a weakness in the encryption method that is used for the backup function. An attacker could exploit this vulnerability by accessing a backup file and leveraging a static key that is used for the backup configuration feature. A successful exploit could allow an attacker with access to a backup file to learn sensitive information that is stored in full state backup files and configuration backup files, such as local user credentials, authentication server passwords, Simple Network Management Protocol (SNMP) community names, and the device SSL server certificate and key.
 (CVE-2024-20280)

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Solution

Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCwe23286, CSCwj91571

See Also

http://www.nessus.org/u?c636e758

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe23286

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwj91571

Plugin Details

Severity: Medium

ID: 209303

File Name: cisco-sa-ucsc-bkpsky-TgJ5f73J.nasl

Version: 1.1

Type: remote

Family: CISCO

Published: 10/18/2024

Updated: 10/18/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 3.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2024-20280

CVSS v3

Risk Factor: Medium

Base Score: 6.3

Temporal Score: 5.5

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:cisco:unified_computing_system_central

Required KB Items: installed_sw/Cisco UCS Central WebUI

Exploit Ease: No known exploits are available

Patch Publication Date: 10/16/2024

Vulnerability Publication Date: 10/16/2024

Reference Information

CVE: CVE-2024-20280

CWE: 321

CISCO-SA: cisco-sa-ucsc-bkpsky-TgJ5f73J

IAVA: 2024-A-0675

CISCO-BUG-ID: CSCwe23286, CSCwj91571