Vulnerability Discovered in Cisco Unified Computing System Central Software Could Allow for Arbitrary Command Execution

ITS Advisory Number: 
2016-070
Date(s) Issued: 
Friday, April 15, 2016
Subject: 
Vulnerability Discovered in Cisco Unified Computing System Central Software Could Allow for Arbitrary Command Execution
Overview: 

A vulnerability in the web framework of Cisco Unified Computing System (UCS) Central Software could allow an unauthenticated, remote attacker to execute arbitrary commands on a targeted system. This vulnerability is due to an improper input validation by the affected software. An attacker could exploit this vulnerability by sending a malicious HTTP request to an affected system. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system. 

Systems Affected: 
  • Cisco UCS Central Software releases 1.3(1b) and prior
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
N/A
Description: 

A vulnerability in the web framework of Cisco Unified Computing System (UCS) Central Software could allow an unauthenticated, remote attacker to execute arbitrary commands on a targeted system. Details of this vulnerability is as follows:

  • A Cisco Unified Computing System (UCS) Central Software 1.3(1b) and earlier allows remote attackers to execute arbitrary OS commands via a crafted HTTP request, aka Bug ID CSCuv33856. (CVE-2016-1352)
Actions: 
  • After appropriate testing, install applicable updates provided by Cisco to the affected systems.
  • Verify no unauthorized system modifications have occurred on the system prior to applying the patch.
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products.