[prev in list] [next in list] [prev in thread] [next in thread]
List: cisco-nsp
Subject: [c-nsp] Cisco Security Advisory: Cisco UCS Director Privilege Escalation Vulnerability
From: Cisco Systems Product Security Incident Response Team <psirt () cisco ! com>
Date: 2017-02-15 16:07:03
Message-ID: 201702151107.9.ucs () psirt ! cisco ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco UCS Director Privilege Escalation Vulnerability
Advisory ID: cisco-sa-20170215-ucs
Revision 1.0
For Public Release 2017 February 15 16:00 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
A vulnerability in the web-based GUI of Cisco UCS Director could allow an \
authenticated, local attacker to execute arbitrary workflow items with just an \
end-user profile.
The vulnerability is due to improper role-based access control (RBAC) after the \
Developer Menu is enabled in Cisco UCS Director. Attackers could exploit this \
vulnerability by enabling Developer Mode for their user profile with an end-user \
profile and then adding new catalogs with arbitrary workflow items to the profile. An \
exploit could allow attackers to perform any actions defined by these workflow items, \
including actions affecting other tenants.
Cisco has released software updates that address this vulnerability. There are no \
workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-ucs
-----BEGIN PGP SIGNATURE-----
iQIVAwUBWKRpgq89gD3EAJB5AQIH3g//UJsdf7eZW8Igzg1NAEAcGVZfnPxA3jlf
wzps6+/z0fer3HbPtVFtH+Usl/RTQoH6Kg9e3ysZm9/UsYYMVMEBX6g9m8ICue0S
dbAXmJC5hPtCmlHIO5J1te6KC2R+2uWt+6Uclkj+N/S0gj5V2KYKzsWvQF8rjUVl
KemWygJshFzA5MuPWRNdXebBQwjHi6vhtK3rWjTQYafxSqpamjYa+k1AJ8UnlTnO
yyVjURVlxh4P+KQizOMVg/Wi7ju/PVvyQN90eJ5/XHR2s8Fuq7xx0RsheMaLTTma
0hjOTkK70ckVVKe9o7XMBd+d2QONEueu503NUBbb1tCF1yjWCYBIn9AZvzY2CIRe
/EhZxCoo0zmfbcOdKbkXnB3WnyHDX6Mln+QrS8+XgalDs/t/csk1fEieoT0VwZ23
BJWFrzmA56JfqKBJ4QrgpyNAeymkglUjpXl5w1m54AyCEgbr+sIGhoS6q70ZfkaK
N9HRB4ORERjzVZ3YJsAHxp55Z8nYk3KIsN+ueUU5G+a01ACDoFzi0Mqg03Fs22mB
syB0OvQwjvGBZjJE6bxC/D6/q2X/dCqdypdUMLwOVklyAs6GCzZTyO//dFQDMZXu
Vpa1Lkp0617CBJXbH95ba07t7eEBQOXqNVNlj3JwO6qr48xSfw3rPkCsmv+0CggY
FQlDeTuY29A=
=W9Wa
-----END PGP SIGNATURE-----
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic