Cisco UCS Central Software Input Validation Flaw Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1032267|
SecurityTracker URL: http://securitytracker.com/id/1032267
(Links to External Site)
Date: May 6 2015
Execution of arbitrary code via network, Root access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): UCS Central 1.2 and prior|
A vulnerability was reported in Cisco UCS Central Software. A remote user can execute arbitrary code on the target system.|
A remote user can send a specially crafted HTTP request to trigger an input validation flaw and execute arbitrary operating system commands on the target device. The commands will run with root privileges.
The vendor has assigned bug ID CSCut46961 to this vulnerability.
A remote user can execute arbitrary commands on the target device with root privileges.|
The vendor has issued a fix (1.3(1a)).|
The vendor's advisory is available at:
Vendor URL: tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150506-ucsc (Links to External Site)
Input validation error|
Source Message Contents
Subject: Cisco Security Advisory: Cisco UCS Central Software Arbitrary Command Execution Vulnerability|
-----BEGIN PGP SIGNED MESSAGE-----
Cisco Security Advisory: Cisco UCS Central Software Arbitrary Command Execution Vulnerability
Advisory ID: cisco-sa-20150506-ucsc
For Public Release 2015 May 6 16:00 UTC (GMT)
A vulnerability in the web framework of Cisco UCS Central Software could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device.
The vulnerability is due to improper input validation. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the root user.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link:
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
-----END PGP SIGNATURE-----