This article is more than 1 year old

Cisco plugs remote code execution flaw in UCS Central control freak

No workarounds means you'll patch or die trying

Cisco has patched a remote code execution bug that could give attackers root privileges on its Unified Computing System (UCS) Central software used by more than 30,00 organisations.

The UCS data centre server platform joins hardware, virtualisation, networking and software into one system. Versions 1.2 and below are affected.

The Borg says the vulnerability (CVE-2015-0701) rates the maximum 10 severity rating due to its low exploitation requirements and "complete" impact to confidentiality, integrity and availability.

"A vulnerability in the web framework of Cisco UCS Central Software could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device," it says in an advisory.

"The vulnerability is due to improper input validation. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the root user."

The Borg says patches for the bug are available but warns there are no workarounds.

<pSuccessful exploitation of the problem would grant unauthenticated access to sensitive information, allow arbitrary command execution on UCS boxes' operating systems, or create denial of service conditions.

Happily, no attacks using the flaw have been spotted in the wild. ®

More about

TIP US OFF

Send us news


Other stories you might like