Cisco Patches Remote Code Execution Bugs in UCS Central

Cisco has patched a critical input validation vulnerability in its UCS Central software.

Cisco has patched a serious remote code execution vulnerability in its Unified Computing System (UCS) Central software, a data center platform that integrates processing, networking, storage and virtualization into one system.

“An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device,” Cisco said Wednesday in an advisory. “An exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the root user.”

The UCS Central software fails to properly validate user input via its web framework, exposing the platform to remote attack; versions 1.2 and earlier are affected, Cisco said. The company added that it has no other workarounds available, and that it is not aware of public exploits.

“Successful exploitation of the vulnerability may permit unauthenticated access to sensitive information, allow arbitrary command execution on the Cisco UCS Central operating system or impact the availability of the affected device,” the advisory said.

Users are urged to update to UCS Central software version 1.3, Cisco said, adding that it has assigned the vulnerability its highest severity score of 10.

Yesterday’s alert comes a little more than a month after two sets of patches released by the networking giants.

On March 23, Cisco cautioned users of its SPA 300 and 500 series IP phones of a number of firmware vulnerabilities that could allow an attacker to intercept and listen in on conversations, or make phone calls.

Three days later, the company released its regularly scheduled semiannual set of security patches for the IOS networking operating system. Cisco released seven advisories, patching 16 vulnerabilities that included a number of denial of service bugs and interface wedge issues, vulnerabilities that occur when router or switch queues contain certain packets that are never removed from the queue.

Cisco’s next set of scheduled IOS patches is set for September.

Suggested articles