SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Embedded Server/Appliance)  >   Cisco Unified Computing System Vendors:   Cisco
Cisco Unified Computing System Director Default Credentials Let Remote Users Gain Full Control
SecurityTracker Alert ID:  1029788
SecurityTracker URL:  http://securitytracker.com/id/1029788
CVE Reference:   CVE-2014-0709   (Links to External Site)
Date:  Feb 20 2014
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Prior to Director 4.0.0.3 HOTFIX
Description:   A vulnerability was reported in Cisco Unified Computing System (UCS) Director. A remote user can take full control of the target system.

A default root user account is created during installation. A remote user can access the command line interface and use the default credentials to gain full control of the target system.

The vendor has assigned bug ID CSCui73930 to this vulnerability.

Impact:   A remote user can take full control of the target system.
Solution:   The vendor has issued a fix (Director Hotfix 4.0.0.3).

The vendor's advisory is available at:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140219-ucsd

Vendor URL:  tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140219-ucsd (Links to External Site)
Cause:   Configuration error

Message History:   None.


 Source Message Contents

Subject:  Cisco Security Advisory: Cisco UCS Director Default Credentials Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Cisco Security Advisory: Cisco UCS Director Default Credentials Vulnerability

Advisory ID: cisco-sa-20140219-ucsd

Revision 1.0

For Public Release 2014 February 19 16:00  UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

A vulnerability in Cisco Unified Computing System (UCS) Director could allow an unauthenticated, remote attacker to take complete control of the affected device.

The vulnerability is due to a default root user account created during installation. An attacker could exploit this vulnerability by accessing the server command-line interface (CLI) remotely using the default account credentials. An exploit could allow the attacker to log in with the default credentials, which provide full administrative rights to the system.

Cisco has released free software updates that address this vulnerability.

Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140219-ucsd

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)

iF4EAREKAAYFAlMEtOsACgkQUddfH3/BbTrerwD9F9frFRfdIPKHUxFOVSdCWw48
nYMwynXoUtbiTFxpPTwA/A1wg6tWwHyIg3OGrhLzxoMxGQzBlk1QfxxaXORde2I8
=zBK2
-----END PGP SIGNATURE-----
_______________________________________________
cust-security-announce mailing list
cust-security-announce@cisco.com
To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC