Itpa webheader

Cisco warns of four critical vulnerabilities


By Dylan Bushell-Embling
Monday, 26 August, 2019


Cisco warns of four critical vulnerabilities

Cisco has issued security alerts for a series of four critical vulnerabilities in the company's Cisco UCS Director and UCS Director Express for Big Data packages.

The four vulnerabilities each have a severity rating of 9.8 out of 10 on the Common Vulnerability Scoring System.

The authentication bypass vulnerabilities were found in the web-based management interface of the Cisco Integrated Management Controller, Cisco UCS Director and Cisco UCS Director Express for Big Data packages.

If exploited, they could allow unauthenticated, remote attackers to acquire valid session tokens with administrator privileges, bypassing user authentication, Cisco said.

Two of the vulnerabilities are due to insufficient request header validation during the authentication process, and allow attackers to take advantage of the bug by sending large volumes of malicious requests to an affected device.

A third is due to the presence of an undocumented default password for a documented user account, as well as incorrect permission settings for the account granting it the privileges of an scpuser account. This includes full read and write access to the system's database.

The final vulnerability is due to improper authentication request handling and can be exploited by sending crafted HTTP requests to affected devices.

There are no workarounds for three of the four vulnerabilities — only the one that involves the default password — but Cisco has released a patch addressing all four of these.

Cisco said its Product Security Incident Response Team is not aware of any instances of these vulnerabilities being exploited in the wild. They were uncovered during internal security testing.

Image credit: ©iStockphoto.com/Federico Caputo

Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.

Related News

Neglecting IT training can have "astronomical" costs

Failing to provide IT employees with quality training can cause significant costs for businesses,...

BlueKeep exploit released into the wild

An exploit for the BlueKeep Windows vulnerability has been released by the open source Metasploit...

Government seeks feedback on cybersecurity strategy

The Australian Government is seeking feedback on a new cybersecurity strategy to help businesses...


  • All content Copyright © 2019 Westwick-Farrow Pty Ltd