Critical Flaws Hit Cisco SD-WAN vManage and HyperFlex Software
Networking equipment major Cisco has rolled out software updates to address multiple critical vulnerabilities impacting HyperFlex HX and SD-WAN vManage Software that could allow an attacker to perform command injection attacks, execute arbitrary code, and gain access to sensitive information.
In a series of advisories published on May 5, the company said there are no workarounds that remediate the issues.
The HyperFlex HX command injection vulnerabilities, tracked as CVE-2021-1497 and CVE-2021-1498 (CVSS scores 9.8), affect all Cisco devices running HyperFlex HX software versions 4.0, 4.5, and those prior to 4.0. Arising due to insufficient validation of user-supplied input in the web-based management interface of Cisco HyperFlex HX Data Platform, the flaws could enable an unauthenticated, remote attacker to perform a command injection attack against a vulnerable device.
“An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface,” the company said in its alert. “A successful exploit could allow the attacker to execute arbitrary commands” either as a root or tomcat8 user.
Cisco also squashed five glitches affecting SD-WAN vManage Software (CVE-2021-1275, CVE-2021-1468, CVE-2021-1505, CVE-2021-1506, and CVE-2021-1508) that could permit an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application.
Nikita Abramov and Mikhail Klyuchnikov of Positive Technologies have been credited with reporting the HyperFlex HX, whereas four of the SD-WAN vManage bugs were identified during internal security testing, with CVE-2021-1275 uncovered during the resolution of a Cisco Technical Assistance Center (TAC) support case.
While there is no evidence of malicious use of the vulnerabilities in the wild, it’s recommended that users upgrade to the latest version to mitigate the risk associated with the flaws.
VMware Fixes Critical vRealize Business for Cloud Bug
It’s not just Cisco. VMware on Wednesday released patches to fix a critical severity flaw in vRealize Business for Cloud 7.6 that enables unauthenticated attackers to execute malicious code on vulnerable servers remotely.
The remote code execution flaw (CVE-2021-21984, CVSS score: 9.8) stems from an unauthorized VAMI endpoint, resulting in a scenario that could cause an adversary with network access to run unauthorized code on the appliance. Affected customers can rectify the issue by installing the security patch ISO file.
Vmware credited Egor Dimitrenko of Positive Technologies for reporting the vulnerability.