The IMC is a baseboard management controller that oversees embedded servers inside Cisco Unified Computing System E-Series Blade servers.
The vulnerability was reported in the IMC’s SSH module, and an attacker could remotely exploit the condition to cause the underlying server to crash.
“The vulnerability is due to a failure to properly handle a crafted SSH packet,” Cisco said in a separate advisory.
Hackers sending crafted packets to an SSH server running on the Cisco IMC could create a denial-of-service condition on the device. The OS running on the blade would not be impacted, Cisco said. Hackers use packet generators to send crafted packets, rather than regular network traffic, to probe network devices for holes.
Cisco’s E-Series servers are deployed inside the Cisco Integrated Services Routers Generation 2; versions E140D, DP, E160D and DP, E140S M1 and M2, and EN120S M2 are affected, Cisco said. Cisco added at the UCS B- and C-Series Blade servers are not affected.
“Successful exploitation of the vulnerability may cause the Cisco IMC of the affected blade server to become unresponsive,” Cisco said in its advisory. “This will result in the administrator being unable to utilize the out-of-band features that the Cisco IMC provides, such as remote power-on/off, IP keyboard-video-mouse (KVM), remote media (vMedia), and serial console access. The device may need to be physically restarted to restore the Cisco IMC functionality.”
Cisco said it is not aware of any public exploits, nor did it provide any workarounds.
A bit of research has been done about the security of embedded baseboard management controllers. Prominent researchers such as SATAN developer Dan Farmer and Metasploit creator HD Moore have disclosed numerous problems, including weak or default authentication putting access to the device at risk.
The problems with BMCs gained momentum more than a year ago when Farmer discovered a half-dozen critical vulnerabilities, including authentication bypass issues and UPnP vulnerabilities that could lead to root compromises. Moore collaborated with Farmer to conduct an Internet scan for IPMI—the protocol inside most BMCs—learning that hundreds of thousands of servers and devices were exposed, some lacking encryption, others with the aforementioned authentication weaknesses.