[c-nsp] Cisco Security Advisory: Cisco UCS Invicta Default SSH Key Vulnerability

Wed Apr 6 12:08:03 EDT 2016

A vulnerability in the implementation of intra-process communication for Cisco UCS Invicta Software could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user.

The vulnerability is due to the presence of a default SSH private key that is stored in an insecure way on the system. An attacker could exploit this vulnerability by obtaining the SSH private key and connecting using the root account to the system without providing a password. An exploit could allow the attacker to gain access to the system with the privileges of the root user.

Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160406-ucs

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJXBRJCAAoJEK89gD3EAJB5muUQAJIURzgd5bW4RE6IG6NqznNq
9zL084TWr/TE+lg+NgMQBWc2WqQmxm0+pZnBKpPpmTJ53Lu4yxs0X0ugEpO27r9d
l0JVvntCUBwhHogOSCrZCRiqMMMRvC1rj2iYsKIy8khfMfe8/CMHhz/oau8IuhfM
0E/AUTQCTtX6shy0igKXQ6AlX+VZPXswJVvmVdKPB4HOX9/Oc3pPGJ1qOLn+TY3x
mAX1dgN4tYqZYnIqY/a9vkBOm/8vd5otW8FgrqrY288QohY7ixoZKEBXPYtAYhWY
cmuJjlYgXAJgiHohdEtTCI9biI37+sRURX2RALRBRIKohCfflYpOlVwyczCBNmoS
Hx8Y2GzEP8q1BYtNWWekYY9hlgFwnKh8q3M0YNxQ2hW8iOLoFdEnMbIF8YMmmTeU
g3HF7WhgDXaLFPFzlT2HrICXvGLz177vDVocEugg4ygbo4Xd5MVZqkfsN1xUgAuG
EqVnhoSpRaA8syCg96lJ+dN8BNd/BZKaFWXkN22WGWM+vR9No2NwCEAijiI/u6bN
6S1i97X4UD/SKPUDSr0+PSzWuAlva7vT078STrBj5FMm3JSbT+Q3SbbYQEE98esf
hOOV0gOoTh2fkD1eOzZKK3jv/PfTykjJqrfhDu4D1HFvDYL3mScfovXsOZwYtEMx
xHRnUExXIaFVEtEth38e
=zNe+
-----END PGP SIGNATURE-----