
====================================================================

                                 CERT-Renater

                    Note d'Information No. 2016/VULN228
_____________________________________________________________________

DATE                : 25/05/2016

HARDWARE PLATFORM(S): Cisco UCS Invicta appliances, Cisco UCS Invicta
                        Scaling System.

OPERATING SYSTEM(S): Systems running Cisco UCS Invicta Software
                              versions 4.3, 4.5, 5.0.1.

======================================================================
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160524-ucs-inv
____________________________________________________________________

Cisco Security Advisory

Cisco UCS Invicta Software Default GPG Key Vulnerability

Medium

Advisory ID:

cisco-sa-20160524-ucs-inv

Published:

2016 May 24 08:30 GMT

Version 1.0:

Final

CVSS Score:

Base - 4.3

Workarounds:

No workarounds available

Cisco Bug IDs:

CSCur85504

CVE-2016-1404

CWE-200


Summary

A vulnerability in Cisco UCS Invicta Software could allow an
unauthenticated, remote attacker to access some encrypted information,
if the attacker can intercept communication between an affected system
and a Cisco UCS Invicta Autosupport server.

The vulnerability is due to the presence of a default, static
encryption key in the affected software. The key is used to encrypt
some of the information that is exchanged between an affected device
and the Autosupport server. An attacker could exploit this
vulnerability by intercepting communication between an affected device
and the Autosupport server and using the key to decrypt some of the
information communicated between them.

Cisco has not released software updates that address this
vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160524-ucs-inv


Affected Products

Vulnerable Products

Cisco UCS Invicta appliances and Cisco UCS Invicta Scaling System
running Cisco UCS Invicta Software Release 4.3, 4.5, or 5.0.1 are
affected by this vulnerability.


Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by this
vulnerability.


Workarounds

There are no workarounds that address this vulnerability.


Fixed Software

When considering software upgrades, customers are advised to consult
the Cisco Security Advisories and Responses archive at
http://www.cisco.com/go/psirt and review subsequent advisories to
determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to upgrade
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised to
contact the Cisco Technical Assistance Center (TAC) or their contracted
maintenance providers.


Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware
of any public announcements or malicious use of the vulnerability that
is described in this advisory.


Source

This vulnerability was found during the resolution of support cases.

URL

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160524-ucs-inv


Revision History

Version Description 		Section Status 	Date

1.0 	Initial public release. 	Final 	2016-May-24


Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT
YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits
the distribution URL is an uncontrolled copy and may lack important
information or contain factual errors. The information in this document
is intended for end users of Cisco products.

==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================