Cisco Unified Computing System Manager CGI Script Lets Remote Users Execute Arbitrary Commands on the Target System
SecurityTracker Alert ID: 1034743|
SecurityTracker URL: http://securitytracker.com/id/1034743
(Links to External Site)
Date: Jan 20 2016
Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): prior to versions 2.2(4b), 2.2(5a), 3.0(2e)|
A vulnerability was reported in Cisco Unified Computing System Manager. A remote user can execute arbitrary commands on the target system.|
The web interface CGI script makes unsafe calls to the shell. A remote user can send a specially crafted HTTP request to execute arbitrary commands on the target system. The code will run with the privileges of the target service.
The Cisco Firepower 9000 Series appliance is also affected.
The vendor has assigned bug IDs CSCur90888 and CSCux10615 to this vulnerability.
Jens Krabbenh reported this vulnerability.
A remote user can execute arbitrary commands on the target system.|
The vendor has issued a fix (2.2(4b), 2.2(5a), 3.0(2e)).|
The vendor's advisory is available at:
Vendor URL: tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160120-ucsm (Links to External Site)
Input validation error|
Source Message Contents
-----BEGIN PGP SIGNED MESSAGE-----
Cisco Unified Computing System Manager and Cisco Firepower 9000 Remote Command Execution Vulnerability
Advisory ID: cisco-sa-20160120-ucsm
For Public Release 2016 January 20 16:00 UTC (GMT)
A vulnerability in a CGI script in the Cisco UCS Manager and the Cisco
Firepower 9000 Series appliance could allow an unauthenticated, remote
attacker to execute arbitrary commands on the Cisco Unified Computing
System (UCS) Manager or the Cisco Firepower 9000 Series appliance.
The vulnerability is due to unprotecting calling of shell commands in
the CGI script. An attacker could exploit this vulnerability by
sending a crafted HTTP request to the Cisco UCS Manager or the Cisco
Firepower 9000 Series appliance. An exploit could allow the attacker
to execute arbitrary commands on the Cisco UCS Manager or the Cisco
Firepower 9000 Series appliance.
Cisco has released software updates that address this vulnerability.
This advisory is available at the following link:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
-----END PGP SIGNATURE-----