Cisco has released another batch of security updates, this time to prevent attackers from exploiting multiple critical vulnerabilities in its SD-WAN vManage Software and HyperFlex HX.
The two HyperFlex HX vulnerabilities could “allow an unauthenticated, remote attacker to perform command injection attacks against an affected device,” Cisco said in an advisory.
The first vulnerability, CVE-2021-1497, affects HyperFlex HX Installer Virtual Machine and could see an attacker craft a request that the application does not recognise due to “insufficient validation of user-supplied input”. If successful, an attacker could execute arbitrary commands on an affected device with root access on the web management console.
It is rated 9.8 out of 10 on the Common Vulnerability Scoring System.
The second vulnerability, CVE-2021-1498, affects Cisco HyperFlex HX Data Platform. Once again it is due to insufficient validation of user-supplied input and can be exploited by an attacker to “execute arbitrary commands on an affected device as the tomcat8 user”. It has a critical vulnerability rating of 7.3.
HyperFlex versions running before 4.5 are affected by one or both of the vulnerabilities. There are no workarounds.
Separately, Cisco rolled out fixes for five vulnerabilities in its SD-Wan vManage Software, a centralised system for managing devices in the overlay SD-WAN.
According to Cisco’s advisory, published Wednesday, they are:
- CVE-2021-1468: Critical Unauthorized Message-Processing Vulnerability (RCE)
- CVE-2021-1505: Critical Privilege-Escalation Vulnerability
- CVE-2021-1508: High-Severity Unauthorized-Access Vulnerability
- CVE-2021-1506: High-Severity Unauthorized Services-Access Vulnerability
- CVE-2021-1275: High-Severity Denial-of-Service Vulnerability
The most serious is CV-2021-1468, which has a severity score of 9.8. If exploited, an attacker carry out privileged actions such as creating new administrative level accounts.
Once again there are no workarounds, which means patching is the only option to ensure protection. Cisco said there was no evidence that any of the recently published vulnerabilities had been exploited in the wild.
These latest patches follow Cisco patches in February for its Nexus 3000 Series and Nexus 9000 Series data centre switches. In January it patched a flaw in its smart Wi-Fi solutions for retailers that allowed attackers to change passwords on affected systems.