Cisco warns of four critical vulnerabilities
Cisco has issued security alerts for a series of four critical vulnerabilities in the company's Cisco UCS Director and UCS Director Express for Big Data packages.
The four vulnerabilities each have a severity rating of 9.8 out of 10 on the Common Vulnerability Scoring System.
The authentication bypass vulnerabilities were found in the web-based management interface of the Cisco Integrated Management Controller, Cisco UCS Director and Cisco UCS Director Express for Big Data packages.
If exploited, they could allow unauthenticated, remote attackers to acquire valid session tokens with administrator privileges, bypassing user authentication, Cisco said.
Two of the vulnerabilities are due to insufficient request header validation during the authentication process, and allow attackers to take advantage of the bug by sending large volumes of malicious requests to an affected device.
A third is due to the presence of an undocumented default password for a documented user account, as well as incorrect permission settings for the account granting it the privileges of an scpuser account. This includes full read and write access to the system's database.
The final vulnerability is due to improper authentication request handling and can be exploited by sending crafted HTTP requests to affected devices.
There are no workarounds for three of the four vulnerabilities — only the one that involves the default password — but Cisco has released a patch addressing all four of these.
Cisco said its Product Security Incident Response Team is not aware of any instances of these vulnerabilities being exploited in the wild. They were uncovered during internal security testing.
Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.
Failing to provide IT employees with quality training can cause significant costs for businesses,...
An exploit for the BlueKeep Windows vulnerability has been released by the open source Metasploit...
The Australian Government is seeking feedback on a new cybersecurity strategy to help businesses...