Cisco has posted a package of 17 critical security warnings about authentication vulnerabilities in its Unified Computing System that could let attackers break into systems or cause denial of service troubles.

Specifically the problems are with Cisco’s UCS Director and Express which let customers build private-cloud systems and support automated provisioning processes and orchestration to optimize and simplify delivery of data-center resources, the company said.

Most of the problems center around a weakness in the REST API – which is employed in a variety of Web-based applications – in the affected Cisco products.  Cisco said the vulnerabilities have a 9.8 out of 10 score on the Common Vulnerability Scoring System.

Some of he problems:

Cisco said it has released free software updates that address the vulnerabilities and has fixed the vulnerabilities in UCS Director Release 6.7.4.0 and UCS Director Express for Big Data Release 3.7.4.0.

Steven Seeley (mr_me) of Source Incite worked with Trend Micro Zero Day Initiative to divulge the problems, which have not been exploited, the company said.

In addition to the UCS products, Cisco issued two other critical security warnings this week with its IP Phones. 

First, a vulnerability in the web server for Cisco IP Phones could let an unauthenticated, remote attacker execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition, Cisco stated.

This vulnerability affects the following Cisco products if they have web access enabled and are running a firmware release earlier than the first fixed release for that device:

The other IP Phone issue involved the web application for Cisco IP Phones that could let an attacker send a crafted HTTP request to the web server of a targeted device. A successful exploit could let the attacker remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition.

The vulnerability exists because the affected software fails to check the bounds of input data, Cisco stated. Cisco said it has released free software updates to fix the problems.

This story, "Cisco says to patch critical UCS security holes now" was originally published by Network World.