topic Cisco fixes vulnerabilities in Integrated Management Controller in Threats https://community.isc2.org/t5/Threats/Cisco-fixes-vulnerabilities-in-Integrated-Management-Controller/m-p/69642#M1183 <P>Dear all,</P><P>&nbsp;</P><P><SPAN class="">Cisco has released patches for two privilege escalation vulnerabilities in its Integrated Management Controller (IMC) that is used for out-of-band management of many of its server products, as well as various appliances. The flaws could allow authenticated attackers to execute commands as root on the underlying operating system, one of them already has proof-of-concept exploit code available publicly.</SPAN></P><P><SPAN class="">&nbsp;</SPAN></P><P><SPAN class="">The two vulnerabilities, tracked as&nbsp;</SPAN><A title="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-mUx4c5AJ" href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-mUx4c5AJ" target="_blank" rel="noopener noreferrer"><SPAN class="">CVE-2024-20295</SPAN></A><SPAN class="">&nbsp;and&nbsp;</SPAN><A title="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-bLuPcb" href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-bLuPcb" target="_blank" rel="noopener noreferrer"><SPAN class="">CVE-2024-20356</SPAN></A><SPAN class="">, are rated 8.8 and 8.7 in the Common Vulnerability Scoring System (CVSS) which equates to high severity. Both can be exploited over the network if the IMC interfaces are remotely accessible, but the reason why they’re not rated critical is because the attackers need to be authenticated and have some privileges already.</SPAN></P><P>&nbsp;</P><P><SPAN class=""><A href="https://www.csoonline.com/article/2093447/cisco-fixes-vulnerabilities-in-integrated-management-controller.html?utm_campaign=editorial&amp;utm_medium=cso&amp;utm_source=browseralert" target="_blank" rel="noopener">https://www.csoonline.com/article/2093447/cisco-fixes-vulnerabilities-in-integrated-management-controller.html?utm_campaign=editorial&amp;utm_medium=cso&amp;utm_source=browseralert</A></SPAN></P><P>&nbsp;</P><P><SPAN class=""><A href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-mUx4c5AJ" target="_blank" rel="noopener">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-mUx4c5AJ</A></SPAN></P><P>&nbsp;</P><P><A href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-bLuPcb" target="_blank">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-bLuPcb</A></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 22 Apr 2024 15:24:22 GMT Kyaw_Myo_Oo 2024-04-22T15:24:22Z Cisco fixes vulnerabilities in Integrated Management Controller https://community.isc2.org/t5/Threats/Cisco-fixes-vulnerabilities-in-Integrated-Management-Controller/m-p/69642#M1183 <P>Dear all,</P><P>&nbsp;</P><P><SPAN class="">Cisco has released patches for two privilege escalation vulnerabilities in its Integrated Management Controller (IMC) that is used for out-of-band management of many of its server products, as well as various appliances. The flaws could allow authenticated attackers to execute commands as root on the underlying operating system, one of them already has proof-of-concept exploit code available publicly.</SPAN></P><P><SPAN class="">&nbsp;</SPAN></P><P><SPAN class="">The two vulnerabilities, tracked as&nbsp;</SPAN><A title="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-mUx4c5AJ" href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-mUx4c5AJ" target="_blank" rel="noopener noreferrer"><SPAN class="">CVE-2024-20295</SPAN></A><SPAN class="">&nbsp;and&nbsp;</SPAN><A title="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-bLuPcb" href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-bLuPcb" target="_blank" rel="noopener noreferrer"><SPAN class="">CVE-2024-20356</SPAN></A><SPAN class="">, are rated 8.8 and 8.7 in the Common Vulnerability Scoring System (CVSS) which equates to high severity. Both can be exploited over the network if the IMC interfaces are remotely accessible, but the reason why they’re not rated critical is because the attackers need to be authenticated and have some privileges already.</SPAN></P><P>&nbsp;</P><P><SPAN class=""><A href="https://www.csoonline.com/article/2093447/cisco-fixes-vulnerabilities-in-integrated-management-controller.html?utm_campaign=editorial&amp;utm_medium=cso&amp;utm_source=browseralert" target="_blank" rel="noopener">https://www.csoonline.com/article/2093447/cisco-fixes-vulnerabilities-in-integrated-management-controller.html?utm_campaign=editorial&amp;utm_medium=cso&amp;utm_source=browseralert</A></SPAN></P><P>&nbsp;</P><P><SPAN class=""><A href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-mUx4c5AJ" target="_blank" rel="noopener">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-mUx4c5AJ</A></SPAN></P><P>&nbsp;</P><P><A href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-bLuPcb" target="_blank">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-bLuPcb</A></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 22 Apr 2024 15:24:22 GMT https://community.isc2.org/t5/Threats/Cisco-fixes-vulnerabilities-in-Integrated-Management-Controller/m-p/69642#M1183 Kyaw_Myo_Oo 2024-04-22T15:24:22Z