CVE-2018-0238

Name of the Vulnerable Software and Affected Versions: Cisco Unified Computing System (UCS) Director versions 6.0 through 6.5 prior to patch 3

Description: A vulnerability in the role-based resource checking functionality could allow an authenticated, remote attacker to view unauthorized information for any virtual machine in the UCS Director end-user portal and perform any permitted operations on any virtual machine. The vulnerability is due to improper user authentication checks. An attacker could exploit this vulnerability by logging in to the UCS Director with a modified username and valid password. A successful exploit could allow the attacker to gain visibility into and perform actions against all virtual machines in the UCS Director end-user portal of the affected system.

Recommendations: For Cisco Unified Computing System (UCS) Director versions 6.0 through 6.5 prior to patch 3, apply patch 3 to resolve the issue. As a temporary workaround, consider restricting access to the UCS Director end-user portal to minimize the risk of exploitation. Additionally, review and restrict VM Management Actions settings configured under User Permissions to limit the actions that can be performed on virtual machines.