Main Vulnerability Database Vulnerabilities #VU10407

OS command injection in Cisco UCS Central Software - CVE-2018-0113

Published: February 8, 2018

Vulnerability identifier: #VU10407

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-0113

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Cisco Systems, Inc

Affected software:
Cisco UCS Central Software

Detailed vulnerability description

The vulnerability allows a remote authenticated attacker to execute arbitrary shell commands on the target system.

The vulnerability exists in an operations script of Cisco UCS Central due to insufficient input validation. A remote attacker can post a specially crafted request to the user interface of Cisco UCS Central, inject and execute arbitrary shell commands with the privileges of the daemon user.

Successful exploitation of the vulnerability may result in system compromise.

How to mitigate CVE-2018-0113

Update to version 2.0(1c).

Sources

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-ucsc

OS command injection in Cisco UCS Central Software - CVE-2018-0113

Detailed vulnerability description

How to mitigate CVE-2018-0113

Sources

Please verify you're human