Executive Summary

Summary
TitleCisco HyperFlex Software Static Signing Key Vulnerability
Informations
Namecisco-sa-20181003-hyperflex-secretFirst vendor Publication2018-10-03
VendorCiscoLast vendor Modification2018-10-03
Severity (Vendor) N/ARevisionN/A

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score7.5Attack RangeNetwork
Cvss Impact Score6.4Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

A vulnerability in Cisco HyperFlex Software could allow an unauthenticated, remote attacker to generate valid, signed session tokens.

The vulnerability is due to a static signing key that is present in all Cisco HyperFlex systems. An attacker could exploit this vulnerability by accessing the static signing key from one HyperFlex system and using it to generate valid, signed session tokens for another HyperFlex system. A successful exploit could allow the attacker to access the HyperFlex Web UI of a system for which they are not authorized.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-hyperflex-secret ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-hyperflex-secret"]

BEGIN PGP SIGNATURE

iQJ5BAEBAgBjBQJbtOqjXBxDaXNjbyBQcm9kdWN0IFNlY3VyaXR5IEluY2lkZW50 IFJlc3BvbnNlIFRlYW0gKENpc2NvIFBTSVJUIGtleSAyMDE4LTIwMTkpIDxwc2ly dEBjaXNjby5jb20+AAoJEJa12PPJBfcztXQQAMec9Gv+5F4LI9rFz21PqPMd40NW z6YTUec1V04yiG372fSk0harZoLaBJ3sOA0K7qb57lFBnNKxVOtk9BnIz0zDgOKV 6L9WTx4VH1nkb5ZHjEEF3tLTLzfKbdRHyrUtFbhy5HsrSpofceqLmbmwHPfFMiqu xN6/CoSQtULDmLfnt+cdnqLFHqLUtdGj9aheYukPec6xq7VZc16lsMcEhsIJMbxW 7vTsdXizgkDSsmD3aUfZ1gXoH3PaArRXa5ZlNVZTO98w7lWQC7VLWAb8GhzfJGmN OTlwSKz8et6lR7IpNHs9PGqG2oZu//KqZhhcQZf/BTuUvvt0CNgQUoWEKZFvph3z kSsuFMBJpNN1iAopZNf+bxIqlgUYPl1w+cYGPDYCvecSKV6CB8Zj9ImS0TFMZNBW MkEdrfLNwgBeo57nG6dnLI0AxhXX3OFynJz0EkpIVqrrz+zC3eP5BKyF8uuYn42Q R1no512ExIDxNU+MFHl+WjI8P9wxo5KNylEYxvawB3os09FAZutTFg//pFvrptJE 4xNKSkq52IcFKDWovwY3tq3a3AuY9YQgp9xg/riJzFfMjn92Os9WXAxaVTwkAMMl 3QQJEFvSb7mepYqMXEL2zgMS33AcgnmtoxDoiiXGSym4A36qLXv2AuifbN6VenXX 9cKdb1jEHuzrRjn9 =P7Kz END PGP SIGNATURE

_______________________________________________ cust-security-announce mailing list cust-security-announce@cisco.com To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com

Original Source

Url : http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco (...)

CWE : Common Weakness Enumeration

%idName
100 %CWE-642External Control of Critical State Data

CPE : Common Platform Enumeration

TypeDescriptionCount
Os1

Alert History

If you want to see full details history, please login or register.
0
1
2
DateInformations
2018-11-29 00:22:40
  • Multiple Updates
2018-10-05 21:21:50
  • Multiple Updates
2018-10-03 21:19:32
  • First insertion