Cisco has posted a package of 17 critical security warnings about authentication vulnerabilities in its Unified Computing System that could let attackers break into systems or cause denial of service troubles.\nSpecifically the problems are with Cisco\u2019s UCS Director and Express which let customers build private-cloud systems and support automated provisioning processes and orchestration to optimize and simplify delivery of data-center resources, the company said.\n\nMost of the problems center around a weakness in the REST API \u2013 which is employed in a variety of Web-based applications \u2013 in the affected Cisco products.\u00a0 Cisco said the vulnerabilities have a 9.8 out of 10 score on the Common Vulnerability Scoring System.\nSome of he problems:\n\nA vulnerability in the REST API of Cisco UCS Director and UCS Director Express for Big Data could let an unauthenticated, remote attacker bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to insufficient access control validation. An attacker could exploit this vulnerability by sending a crafted request to the REST API.\nA vulnerability in the REST API of Cisco UCS Director and UCS Director Express for Big Data could allow an authenticated, remote attacker to execute arbitrary code with root privileges on the underlying operating system. The vulnerability is due to improper input validation. An attacker could exploit this weakness by crafting a malicious file and sending it to the REST API, Cisco stated.\nA vulnerability in the REST API of Cisco UCS Director and UCS Director Express for Big Data could let an unauthenticated, remote attacker bypass authentication and execute API calls on an affected device. The vulnerability is due to insufficient access control validation. A successful exploit could allow the attacker to interact with the REST API and cause a potential Denial of Service (DoS) condition on the affected device, Cisco said.\n\nCisco said it has released free software updates that address the vulnerabilities and has fixed the vulnerabilities in UCS Director Release 22.214.171.124 and UCS Director Express for Big Data Release 126.96.36.199.\nSteven Seeley (mr_me) of Source Incite worked with Trend Micro Zero Day Initiative to divulge the problems, which have not been exploited, the company said.\nIn addition to the UCS products, Cisco issued two other critical security warnings this week with its IP Phones.\u00a0\nFirst, a vulnerability in the web server for Cisco IP Phones could let an unauthenticated, remote attacker execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition, Cisco stated.\nThis vulnerability affects the following Cisco products if they have web access enabled and are running a firmware release earlier than the first fixed release for that device:\n\nIP Phone 7811, 7821, 7841, and 7861 Desktop Phones\nIP Phone 8811, 8841, 8845, 8851, 8861, and 8865 Desktop Phones\nUnified IP Conference Phone 8831\nWireless IP Phone 8821 and 8821-EX\n\nThe other IP Phone issue involved the web application for Cisco IP Phones that could let an attacker send a crafted HTTP request to the web server of a targeted device. A successful exploit could let the attacker remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition.\nThe vulnerability exists because the affected software fails to check the bounds of input data, Cisco stated. Cisco said it has released free software updates to fix the problems.