Menu
Cisco issues 17 security Unified Computing System warnings

Cisco issues 17 security Unified Computing System warnings

Tech giant posts warnings about authentication vulnerabilities

Credit: Dreamstime

Cisco has posted a package of 17 critical security warnings about authentication vulnerabilities in its Unified Computing System that could let attackers break into systems or cause denial of service troubles.

Specifically the problems are with the vendor's UCS Director and Express which let customers build private cloud systems and support automated provisioning processes and orchestration to optimise and simplify delivery of data centre resources, the company said.

Most of the problems centre around a weakness in the REST API – which is employed in a variety of Web-based applications – in the affected Cisco products. Cisco said the vulnerabilities have a 9.8 out of 10 score on the Common Vulnerability Scoring System.

Some of he problems included a vulnerability in the REST API of Cisco UCS Director and UCS Director Express for Big Data could let an unauthenticated, remote attacker bypass authentication and execute arbitrary actions with administrative privileges on an affected device.

The vulnerability is due to insufficient access control validation. An attacker could exploit this vulnerability by sending a crafted request to the REST API.

Another vulnerability also exists in the REST API of Cisco UCS Director and UCS Director Express for Big Data, which could allow an authenticated, remote attacker to execute arbitrary code with root privileges on the underlying operating system.

The vulnerability is due to improper input validation. An attacker could exploit this weakness by crafting a malicious file and sending it to the REST API, Cisco stated.

In addition, a further vulnerability in the REST API of Cisco UCS Director and UCS Director Express for Big Data could let an unauthenticated, remote attacker bypass authentication and execute API calls on an affected device.

The vulnerability is due to insufficient access control validation. A successful exploit could allow the attacker to interact with the REST API and cause a potential Denial of Service (DoS) condition on the affected device.

Cisco said it has released free software updates that address the vulnerabilities and has fixed the vulnerabilities in UCS Director Release 6.7.4.0 and UCS Director Express for Big Data Release 3.7.4.0.

Steven Seeley (mr_me) of Source Incite worked with Trend Micro Zero Day Initiative to divulge the problems, which have not been exploited, the company said.

In addition to the UCS products, Cisco issued two other critical security warnings this week with its IP Phones.

First, a vulnerability in the web server for Cisco IP Phones could let an unauthenticated, remote attacker execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition, Cisco stated.

This vulnerability affects the following Cisco products if they have web access enabled and are running a firmware release earlier than the first fixed release for that device:

  • IP Phone 7811, 7821, 7841, and 7861 Desktop Phones
  • IP Phone 8811, 8841, 8845, 8851, 8861, and 8865 Desktop Phones
  • Unified IP Conference Phone 8831
  • Wireless IP Phone 8821 and 8821-EX

The other IP Phone issue involved the web application for Cisco IP Phones that could let an attacker send a crafted HTTP request to the web server of a targeted device. A successful exploit could let the attacker remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition.

The vulnerability exists because the affected software fails to check the bounds of input data, Cisco stated. Cisco said it has released free software updates to fix the problems.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags ciscocybersecurity

Events

Featured

Slideshows

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments