Cisco Unified Computing System Fabric Interconnect Devices Arbitrary Command Execution Vulnerability

2013-09-24T19:32:05
ID CISCO-SA-20130924-CVE-2012-4086
Type cisco
Reporter Cisco
Modified 2013-09-24T19:31:35

Description

A vulnerability in the initial setup script of Cisco Unified Computing System fabric interconnect devices could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system.

The vulnerability is due to unfiltered input in the initial configuration script. An attacker could exploit this vulnerability by entering invalid parameters during initial setup. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the daemon user.

Cisco has confirmed the vulnerability in a security notice and released software updates.

To exploit this vulnerability, it is likely that an attacker would need access to trusted, internal networks in which the targeted device may reside. This access requirement decreases the likelihood of a successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.