Executive Summary

Title Cisco UCS Invicta Default SSH Key Vulnerability
Name cisco-sa-20160406-ucs First vendor Publication 2016-04-06
Vendor Cisco Last vendor Modification 2016-04-06
Severity (Vendor) N/A Revision 1.0

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


A vulnerability in the implementation of intra-process communication for Cisco UCS Invicta Software could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user.

The vulnerability is due to the presence of a default SSH private key that is stored in an insecure way on the system. An attacker could exploit this vulnerability by obtaining the SSH private key and connecting using the root account to the system without providing a password. An exploit could allow the attacker to gain access to the system with the privileges of the root user.

Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160406-ucs

BEGIN PGP SIGNATURE Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJXBRJCAAoJEK89gD3EAJB5muUQAJIURzgd5bW4RE6IG6NqznNq 9zL084TWr/TE+lg+NgMQBWc2WqQmxm0+pZnBKpPpmTJ53Lu4yxs0X0ugEpO27r9d l0JVvntCUBwhHogOSCrZCRiqMMMRvC1rj2iYsKIy8khfMfe8/CMHhz/oau8IuhfM 0E/AUTQCTtX6shy0igKXQ6AlX+VZPXswJVvmVdKPB4HOX9/Oc3pPGJ1qOLn+TY3x mAX1dgN4tYqZYnIqY/a9vkBOm/8vd5otW8FgrqrY288QohY7ixoZKEBXPYtAYhWY cmuJjlYgXAJgiHohdEtTCI9biI37+sRURX2RALRBRIKohCfflYpOlVwyczCBNmoS Hx8Y2GzEP8q1BYtNWWekYY9hlgFwnKh8q3M0YNxQ2hW8iOLoFdEnMbIF8YMmmTeU g3HF7WhgDXaLFPFzlT2HrICXvGLz177vDVocEugg4ygbo4Xd5MVZqkfsN1xUgAuG EqVnhoSpRaA8syCg96lJ+dN8BNd/BZKaFWXkN22WGWM+vR9No2NwCEAijiI/u6bN 6S1i97X4UD/SKPUDSr0+PSzWuAlva7vT078STrBj5FMm3JSbT+Q3SbbYQEE98esf hOOV0gOoTh2fkD1eOzZKK3jv/PfTykjJqrfhDu4D1HFvDYL3mScfovXsOZwYtEMx xHRnUExXIaFVEtEth38e =zNe +END PGP SIGNATURE _______________________________________________ cust-security-announce mailing list cust-security-announce@cisco.com To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com

Original Source

Url : http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco (...)

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-264 Permissions, Privileges, and Access Controls

CPE : Common Platform Enumeration

Application 3

Alert History

If you want to see full details history, please login or register.
Date Informations
2016-04-08 00:27:26
  • Multiple Updates
2016-04-06 21:24:28
  • First insertion