Cisco Fixes Critical Vulnerability

Tuesday, May 12, 2015 @ 06:05 PM gHale


Cisco released new software to fix a high-severity vulnerability in its Unified Computing System (UCS) central software.

The hole could end up exploited so an attacker could reach sensitive information, run arbitrary code on the system, or make the device unavailable.

RELATED STORIES
Cisco Updates Vulnerabilities
Cisco Mitigates DoS Holes
Cisco Fixes Mulitple DoS Issues
Cisco IPv6 Processing Vulnerability

To plug the hole, Cisco released UCS Central Software Version 1.3(1a). Since there are no workarounds available, updating to the new program will protect against possible attacks that take advantage of the vulnerability.

UCS Central Software is a unified management solution for tasks and policies affecting thousands of servers spread across the world.

The vulnerability is present in Cisco UCS Central Software versions 1.2 and lower, and it can end up leveraged remotely.

Identified as CVE-2015-0701, the security flaw resides in the web framework of the product and is the result of improper input validation.

An attack works by sending the affected device a specially created HTTP request, the end result could be executing arbitrary commands on the operating system of the machine with the privileges of a root user.

The flaw has a calculated score of 10, as per the CVSS (Common Vulnerability Scoring System) standard.

In an advisory, Cisco said there is no indication the security bug is currently undergoing any attacks.

Before updating to the new software, administrators should make sure the device has sufficient memory to carry out the task.



Leave a Reply

You must be logged in to post a comment.