Cisco has patched a remote file-overwrite vulnerability in a couple of its products that could allow an attacker to replace arbitrary files and cause target systems to become unstable.
The vulnerability affects the Cisco Integrated Management Controlled Supervisor and UCS Director software. The company has fixed the bug in new versions of the software, 18.104.22.168 for Cisco UCS and 22.214.171.124 for the UCS Director. The IMC Supervisor is designed to give customers the ability to manage other Cisco servers from a central point. The UCS Director, meanwhile, provides centralized management of software and hardware in Cisco’s Unified Computing System.
“A vulnerability in JavaServer Pages (JSP) input validation routines of the Cisco IMC Supervisor and Cisco UCS Director could allow an unauthenticated, remote attacker to overwrite arbitrary files on the system,” the Cisco advisory says.
“The vulnerability is due to incomplete input sanitization on specific JSP pages. An attacker could exploit this vulnerability by sending crafted HTTP requests to the affected system. An exploit could allow the attacker to overwrite arbitrary system files resulting in system instability.”
Cisco said there are no workarounds available for the vulnerability, but there are no known public exploits for the bug, either.