Cisco has patched what it called a critical vulnerability in its Unified Computing System (UCS) Performance Manager software that could let an authenticated, remote attacker execute commands.
Cisco UCS Performance Manager versions 2.0.0 and prior are affected and the problem is resolved in Cisco UCS Performance Manager versions 2.0.1 and later. UCS Performance Manager collects information about UCS servers, network, storage, and virtual machines.
According to Cisco the vulnerability is due to insufficient input validation performed on parameters that are passed via an HTTP GET request. An attacker could exploit this vulnerability by sending crafted HTTP GET requests to an affected system. An exploit could allow the attacker to execute arbitrary commands with the privileges of the root user.
+More on Network World: What was hot at Cisco Live!+
Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available, the company stated
The patch comes on the heels of a series of security fixes recently offered by Cisco. Earlier this month the company released patches for vulnerabilities in its IOS software for networking devices and the Cisco and WebEx conferencing servers.
According to an IDG News Service story, the most serious vulnerability affects the Cisco IOS XR software for the Cisco Network Convergence System (NCS) 6000 Series Routers. It can lead to a denial-of-service condition, leaving affected devices in a nonoperational state.
Unauthenticated, remote attackers could exploit the vulnerability by initiating a number of management connections to an affected device over the Secure Shell (SSH), Secure Copy Protocol (SCP) or Secure FTP (SFTP). Because it could affect the availability of a critical piece of equipment, like a router, Cisco rated this vulnerability as high severity. There is no workaround and customers are advised to install the newly released patches.
+More on Network World: Quick look: Cisco Tetration Analytics+
Another flaw fixed in the Cisco IOS XR software could let attackers execute arbitrary commands on the operating system with root privileges. This vulnerability affects IOS XR Software Release 6.0.1.BASE and was rated medium severity because the attacker needs to be authenticated as a local user.
A denial-of-service vulnerability was also fixed in the Cisco IOS Software. It can be used to crash devices running affected versions of the software by sending specially crafted Link Layer Discovery Protocol (LLDP) packets to them. Exploitation doesn't require authentication, but requires the attacker to be in a position to send LLDP packets.
Information from the the IDG News Service was used in this article.
This story, "Cisco patches critical exposure in management software" was originally published by Network World.