Cisco Unified Computing System C-Series Servers Man-in-the-Middle Vulnerability

A vulnerability in the Cisco Integrated Management Controller of the Cisco Unified Computing System (UCS) C-Series Servers could allow an unauthenticated, remote attacker to perform a man-in-the-middle attack against the affected device.

The vulnerability is due to improper validation of the SSL certificate used to manage the device. An attacker could exploit this vulnerability by using the default SSL certificate to intercept, decrypt, read, and write information.

Cisco has confirmed the vulnerability; however, software updates are not available.

A successful exploit of this vulnerability could allow the attacker to impact the confidentiality of information transmitted by the device by decrypting encrypted content and accessing sensitive information, which could be used to conduct further attacks.

The attacker may need access to trusted, internal networks to use the default SSL certificate used to manage the device, making exploitation more difficult in environments that restrict access to untrusted sources.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.