14 DAY TRIAL // Some versions of Cisco’s Unified Computing System (UCS) central software have a high-severity vulnerability that can be exploited by an attacker to reach sensitive information, run arbitrary code on the system, or make the device unavailable.
The product is designed as a unified management solution for tasks and policies affecting thousands of servers spread across the world.
Bug receives the highest severity score
The vulnerability is present in Cisco UCS Central Software versions 1.2 and lower, and it can be leveraged by a remote threat actor without the need to be authenticated.
Identified as CVE-2015-0701, the security flaw resides in the web framework of the product and is the result of improper input validation.
An individual can leverage it by sending the affected device a specially created HTTP request, the consequence being the possibility to execute arbitrary commands on the operating system of the machine with the privileges of a root user.
The flaw is considered to be of maximum severity, with a calculated score of 10, as per the CVSS (Common Vulnerability Scoring System) standard, given that exploiting it has low complexity and critical system information can be completely compromised as a result.
New product version mitigates the risks
In an advisory on Wednesday, Cisco has said that there is no indication that the security bug is currently exploited in the wild, or that it has been exposed in public announcements.
To plug the hole, the company released UCS Central Software Version 1.3(1a). There are no workarounds available for mitigating the risk, so updating to this release is also the only method to protect against possible attacks that take advantage of the vulnerability..
Before updating, administrators are advised to make sure that the device has sufficient memory to carry out the task. A direct download link is provided by the company for its customers.