Cisco says to patch critical UCS security holes now

Cisco has posted a package of 17 critical security warnings about authentication vulnerabilities in its Unified Computing System that could let attackers break into systems or cause denial of service troubles.

Specifically the problems are with Cisco’s UCS Director and Express which let customers build private-cloud systems and support automated provisioning processes and orchestration to optimize and simplify delivery of data-center resources, the company said.

Most of the problems center around a weakness in the REST API – which is employed in a variety of Web-based applications – in the affected Cisco products.  Cisco said the vulnerabilities have a 9.8 out of 10 score on the Common Vulnerability Scoring System.

Some of he problems:

• A vulnerability in the REST API of Cisco UCS Director and UCS Director Express for Big Data could let an unauthenticated, remote attacker bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to insufficient access control validation. An attacker could exploit this vulnerability by sending a crafted request to the REST API.
• A vulnerability in the REST API of Cisco UCS Director and UCS Director Express for Big Data could allow an authenticated, remote attacker to execute arbitrary code with root privileges on the underlying operating system. The vulnerability is due to improper input validation. An attacker could exploit this weakness by crafting a malicious file and sending it to the REST API, Cisco stated.
• A vulnerability in the REST API of Cisco UCS Director and UCS Director Express for Big Data could let an unauthenticated, remote attacker bypass authentication and execute API calls on an affected device. The vulnerability is due to insufficient access control validation. A successful exploit could allow the attacker to interact with the REST API and cause a potential Denial of Service (DoS) condition on the affected device, Cisco said.

Cisco said it has released free software updates that address the vulnerabilities and has fixed the vulnerabilities in UCS Director Release 6.7.4.0 and UCS Director Express for Big Data Release 3.7.4.0.

Steven Seeley (mr_me) of Source Incite worked with Trend Micro Zero Day Initiative to divulge the problems, which have not been exploited, the company said.

In addition to the UCS products, Cisco issued two other critical security warnings this week with its IP Phones. 

First, a vulnerability in the web server for Cisco IP Phones could let an unauthenticated, remote attacker execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition, Cisco stated.

This vulnerability affects the following Cisco products if they have web access enabled and are running a firmware release earlier than the first fixed release for that device:

• IP Phone 7811, 7821, 7841, and 7861 Desktop Phones
• IP Phone 8811, 8841, 8845, 8851, 8861, and 8865 Desktop Phones
• Unified IP Conference Phone 8831
• Wireless IP Phone 8821 and 8821-EX

The other IP Phone issue involved the web application for Cisco IP Phones that could let an attacker send a crafted HTTP request to the web server of a targeted device. A successful exploit could let the attacker remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition.

The vulnerability exists because the affected software fails to check the bounds of input data, Cisco stated. Cisco said it has released free software updates to fix the problems.