Guest

Preview Tool

Cisco Bug: CSCun71294 - Cisco Invicta Default SSH Key Vulnerability

Last Modified

Aug 06, 2018

Products (1)

  • Cisco UCS Invicta Series Solid State Systems

Known Affected Releases

v4.3_RELEASE v4.5_RELEASE v5.0.1_RELEASE

Description (partial)

Symptom:
A vulnerability in the implementation intra processes communication of the Cisco UCS Invicta Software could allow an unauthenticated, remote
attacker to connect to the affected system with the privileges of the root user.

The vulnerability is due to the presence of a default SSH private key, which is stored in an insecure way on the system. An attacker could
exploit this vulnerability by obtaining the SSH private key. This will allow the attacker to connect by using the root account to the system
without requiring to provide a password. An exploit could allow the attacker to gain access to the system with the privileges of the root user.

Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160406-ucs

Conditions:
See security advisory
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.