Cisco UCS Invicta Software Default GPG Key Vulnerability

A vulnerability in Cisco UCS Invicta Software could allow an unauthenticated, remote attacker to access some encrypted information, if the attacker can intercept communication between an affected system and a Cisco UCS Invicta Autosupport server.

The vulnerability is due to the presence of a default, static encryption key in the affected software. The key is used to encrypt some of the information that is exchanged between an affected device and the Autosupport server. An attacker could exploit this vulnerability by intercepting communication between an affected device and the Autosupport server and using the key to decrypt some of the information communicated between them.

Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160524-ucs-inv[“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160524-ucs-inv”]