Cisco warns of four critical vulnerabilities


By Dylan Bushell-Embling
Monday, 26 August, 2019


Cisco warns of four critical vulnerabilities

Cisco has issued security alerts for a series of four critical vulnerabilities in the company's Cisco UCS Director and UCS Director Express for Big Data packages.

The four vulnerabilities each have a severity rating of 9.8 out of 10 on the Common Vulnerability Scoring System.

The authentication bypass vulnerabilities were found in the web-based management interface of the Cisco Integrated Management Controller, Cisco UCS Director and Cisco UCS Director Express for Big Data packages.

If exploited, they could allow unauthenticated, remote attackers to acquire valid session tokens with administrator privileges, bypassing user authentication, Cisco said.

Two of the vulnerabilities are due to insufficient request header validation during the authentication process, and allow attackers to take advantage of the bug by sending large volumes of malicious requests to an affected device.

A third is due to the presence of an undocumented default password for a documented user account, as well as incorrect permission settings for the account granting it the privileges of an scpuser account. This includes full read and write access to the system's database.

The final vulnerability is due to improper authentication request handling and can be exploited by sending crafted HTTP requests to affected devices.

There are no workarounds for three of the four vulnerabilities — only the one that involves the default password — but Cisco has released a patch addressing all four of these.

Cisco said its Product Security Incident Response Team is not aware of any instances of these vulnerabilities being exploited in the wild. They were uncovered during internal security testing.

Image credit: ©iStockphoto.com/Federico Caputo

Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.

Related News

Govt unveils code of practice to boost IoT security

The Australian Government has released a code of practice for IoT devices like smart televisions...

Career opportunities booming in RPA

UiPath has revealed that the COVID-19 pandemic has increased demand for robotic process...

Magento 1 still in wide use despite reaching end of life

Adobe has issued the final patches for version 1 of the popular e-commerce platform Magento, but...


  • All content Copyright © 2021 Westwick-Farrow Pty Ltd