Cisco squashes DoS bug in its unified infrastructure software

Cisco has released a patch for a serious remotely exploitable vulnerability affecting its Integrated Management Controller (IMC) Supervisor and Cisco UCS Director offerings.

“A vulnerability in JavaServer Pages (JSP) input validation routines of the Cisco IMC Supervisor and Cisco UCS Director could allow an unauthenticated, remote attacker to overwrite arbitrary files on the system,” the company explained in an advisory.

“The vulnerability is due to incomplete input sanitization on specific JSP pages. An attacker could exploit this vulnerability by sending crafted HTTP requests to the affected system. An exploit could allow the attacker to overwrite arbitrary system files resulting in system instability.”

The bug affects all Cisco IMC Supervisor versions prior to v1.0.0.1, and all Cisco UCS Director versions prior to v5.2.0.1. Cisco IMC Supervisor users are urged to apply the offered patch, and Cisco UCS Director users should upgrade to one of the unaffected versions, as there are no effective workarounds to solve this problem.

The only good news is that there is no indication that the flaw has been exploited in the wild – the company discovered it during internal testing.