Cisco: 6 critical security alarms for UCS software, small-biz routers

Cisco today warned its Unified Computing System (UCS) customers about four critical fixes they need to make to stop nefarious agents from taking over or attacking their systems.The problems all have a severity rating of 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS).

The critical bugs are found in the Cisco UCS Director and UCS Director Express for Big Data packages.

UCS Director lets customers build private-cloud systems and supports automated provisioning processes and orchestration to optimize and simplify delivery of data-center resources, the company said.

Cisco UCS Director Express for Big Data automates Hadoop deployment on the Cisco UCS Common Platform Architecture for Big Data infrastructure. It also provides a single management pane across both physical infrastructure and Hadoop software. Cisco says the UCS Director Express for Big Data is an open private-cloud platform that delivers on-premises Big-Data-as-a-Service (BDaaS) from the core to the edge.

"Automated workflows configure, deploy, and manage the infrastructure resources and big-data platforms such as Hadoop and Splunk Enterprise across Cisco UCS Integrated Infrastructure for Big Data and Analytics - a general-purpose converged infrastructure for big data," the company stated.

Cisco describes the vulnerabilities as follows:

Two other critical warning were also issued involving the company's Small Business 220 Series Smart Switches.

In the first warning Cisco wrote that multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could let an unauthenticated, remote attacker to overflow a buffer, which then allows the execution of arbitrary code with root privileges on the underlying operating system.

"The vulnerabilities are due to insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer. An attacker could exploit these vulnerabilities by sending malicious requests to the web management interface of an affected device. Depending on the configuration of the affected switch, the malicious requests must be sent via HTTP or HTTPS," Cisco stated.

The second warning described a weakness due to incomplete authorization checks in the web management interface. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface, and a successful exploit could let the attacker modify the configuration of an affected device or to inject a reverse shell.

Cisco has released software to fix the 220 switch problems.