ITS Advisory Number:
2016-070
Date(s) Issued:
Friday, April 15, 2016
Subject:
Vulnerability Discovered in Cisco Unified Computing System Central Software Could Allow for Arbitrary Command Execution
Overview:
A vulnerability in the web framework of Cisco Unified Computing System (UCS) Central Software could allow an unauthenticated, remote attacker to execute arbitrary commands on a targeted system. This vulnerability is due to an improper input validation by the affected software. An attacker could exploit this vulnerability by sending a malicious HTTP request to an affected system. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system.
Systems Affected:
- Cisco UCS Central Software releases 1.3(1b) and prior
Description:
A vulnerability in the web framework of Cisco Unified Computing System (UCS) Central Software could allow an unauthenticated, remote attacker to execute arbitrary commands on a targeted system. Details of this vulnerability is as follows:
- A Cisco Unified Computing System (UCS) Central Software 1.3(1b) and earlier allows remote attackers to execute arbitrary OS commands via a crafted HTTP request, aka Bug ID CSCuv33856. (CVE-2016-1352)
Actions:
- After appropriate testing, install applicable updates provided by Cisco to the affected systems.
- Verify no unauthorized system modifications have occurred on the system prior to applying the patch.
- Monitor intrusion detection systems for any signs of anomalous activity.
- Unless required, limit external network access to affected products.