—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Cisco Security Advisory: Cisco HyperFlex Software Static Signing Key Vulnerability
Advisory ID: cisco-sa-20181003-hyperflex-secret
Revision: 1.0
For Public Release: 2018 October 3 16:00 GMT
Last Updated: 2018 October 3 16:00 GMT
CVE ID(s): CVE-2018-15382
CVSS Score v(3): 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
+———————————————————————
Summary
=======
A vulnerability in Cisco HyperFlex Software could allow an unauthenticated, remote attacker to generate valid, signed session tokens.
The vulnerability is due to a static signing key that is present in all Cisco HyperFlex systems. An attacker could exploit this vulnerability by accessing the static signing key from one HyperFlex system and using it to generate valid, signed session tokens for another HyperFlex system. A successful exploit could allow the attacker to access the HyperFlex Web UI of a system for which they are not authorized.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-hyperflex-secret [“https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-hyperflex-secret”]
—–BEGIN PGP SIGNATURE—–
iQJ5BAEBAgBjBQJbtOqjXBxDaXNjbyBQcm9kdWN0IFNlY3VyaXR5IEluY2lkZW50
IFJlc3BvbnNlIFRlYW0gKENpc2NvIFBTSVJUIGtleSAyMDE4LTIwMTkpIDxwc2ly
dEBjaXNjby5jb20+AAoJEJa12PPJBfcztXQQAMec9Gv+5F4LI9rFz21PqPMd40NW
z6YTUec1V04yiG372fSk0harZoLaBJ3sOA0K7qb57lFBnNKxVOtk9BnIz0zDgOKV
6L9WTx4VH1nkb5ZHjEEF3tLTLzfKbdRHyrUtFbhy5HsrSpofceqLmbmwHPfFMiqu
xN6/CoSQtULDmLfnt+cdnqLFHqLUtdGj9aheYukPec6xq7VZc16lsMcEhsIJMbxW
7vTsdXizgkDSsmD3aUfZ1gXoH3PaArRXa5ZlNVZTO98w7lWQC7VLWAb8GhzfJGmN
OTlwSKz8et6lR7IpNHs9PGqG2oZu//KqZhhcQZf/BTuUvvt0CNgQUoWEKZFvph3z
kSsuFMBJpNN1iAopZNf+bxIqlgUYPl1w+cYGPDYCvecSKV6CB8Zj9ImS0TFMZNBW
MkEdrfLNwgBeo57nG6dnLI0AxhXX3OFynJz0EkpIVqrrz+zC3eP5BKyF8uuYn42Q
R1no512ExIDxNU+MFHl+WjI8P9wxo5KNylEYxvawB3os09FAZutTFg//pFvrptJE
4xNKSkq52IcFKDWovwY3tq3a3AuY9YQgp9xg/riJzFfMjn92Os9WXAxaVTwkAMMl
3QQJEFvSb7mepYqMXEL2zgMS33AcgnmtoxDoiiXGSym4A36qLXv2AuifbN6VenXX
9cKdb1jEHuzrRjn9
=P7Kz
—–END PGP SIGNATURE—–
_______________________________________________
cust-security-announce mailing list
cust-security-announce@cisco.com
To unsubscribe, send the command “unsubscribe” in the subject of your message to cust-security-announce-leave@cisco.com