Cisco: 6 critical security alarms for UCS software, small-biz routers

Cisco today warned its Unified Computing System (UCS) customers about four critical fixes they need to make to stop nefarious agents from taking over or attacking their systems.The problems all have a severity rating of 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS).

The critical bugs are found in the Cisco UCS Director and UCS Director Express for Big Data packages.

UCS Director lets customers build private-cloud systems and supports automated provisioning processes and orchestration to optimize and simplify delivery of data-center resources, the company said. 

Cisco UCS Director Express for Big Data automates Hadoop deployment on the Cisco UCS Common Platform Architecture for Big Data infrastructure. It also provides a single management pane across both physical infrastructure and Hadoop software. Cisco says the UCS Director Express for Big Data is an open private-cloud platform that delivers on-premises Big-Data-as-a-Service (BDaaS) from the core to the edge.

“Automated workflows configure, deploy, and manage the infrastructure resources and big-data platforms such as Hadoop and Splunk Enterprise across Cisco UCS Integrated Infrastructure for Big Data and Analytics – a general-purpose converged infrastructure for big data,” the company stated.

Cisco describes the vulnerabilities as follows:

• A weakness in the web-based management interface of Cisco UCS Director and Cisco UCS Director Express for Big Data could let an unauthenticated, remote attacker bypass authentication and execute arbitrary actions with administrator privileges on an affected system. A successful exploit could allow an unprivileged attacker to access and execute arbitrary actions through certain APIs. The vulnerability is due to improper authentication-request handling. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device.
• A vulnerability in both the products could let an unauthenticated remote attacker login to the command-line interface of an affected system by using the SCP User account (scpuser), which has default user credentials. The vulnerability is due to the presence of a documented default account with an undocumented default password and incorrect permission settings for that account. Changing the default password for this account is not enforced during the installation of the product. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the scpuser account. This includes full read and write access to the system's database.
• An exposure in the web-based management interface to both products could let an unauthenticated, remote attacker acquire a valid session token with administrator privileges, bypassing user authentication. The vulnerability is due to insufficient request-header validation during the authentication process and an attacker could exploit this vulnerability by sending a series of malicious requests to an affected device. An exploit could let the attacker use the acquired session token to gain full administrator access to the affected device.
• The final two critical advisories are around similar problems.  An exposure in the web-based management interface to both products could let an unauthenticated, remote attacker acquire a valid session token with administrator privileges, bypassing user authentication. The vulnerability is due to insufficient request header validation during the authentication process and an attacker could exploit this vulnerability by sending a series of malicious requests to an affected device. An exploit could let the attacker use the acquired session token to gain full administrator access to the affected device. Cisco has released free software fixes to handle the vulnerabilities. Customers may only install and expect support for software versions and feature sets for which they have purchased a license.

Two other critical warning were also issued involving the company’s Small Business 220 Series Smart Switches. 

In the first warning Cisco wrote that multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could let an unauthenticated, remote attacker to overflow a buffer, which then allows the execution of arbitrary code with root privileges on the underlying operating system.

“The vulnerabilities are due to insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer. An attacker could exploit these vulnerabilities by sending malicious requests to the web management interface of an affected device. Depending on the configuration of the affected switch, the malicious requests must be sent via HTTP or HTTPS,” Cisco stated. 

The second warning described a weakness due to incomplete authorization checks in the web management interface. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface, and a successful exploit could let the attacker modify the configuration of an affected device or to inject a reverse shell.

Cisco has released software to fix the 220 switch problems.