Jump to content

Cisco plugs remote code execution flaw in UCS Central control freak

Recommended Posts


Cisco has patched a remote code execution bug that could give attackers root privileges on its Unified Computing System (UCS) Central software used by more than 30,00 organisations.

The UCS data centre server platform joins hardware, virtualisation, networking and software into one system. Versions 1.2 and below are affected.

The Borg says the vulnerability (CVE-2015-0701) rates the maximum 10 severity rating due to its low exploitation requirements and "complete" impact to confidentiality, integrity and availability.

"A vulnerability in the web framework of Cisco UCS Central Software could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device," it says in an advisory.

"The vulnerability is due to improper input validation. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the root user."

The Borg says patches for the bug are available but warns there are no workarounds.

<pSuccessful exploitation of the problem would grant unauthenticated access to sensitive information, allow arbitrary command execution on UCS boxes' operating systems, or create denial of service conditions.

Happily, no attacks using the flaw have been spotted in the wild.


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...