Cisco Critical Vulnerabilities Enable Remote Attackers to Execute Commands
The vManage and HyperFlex HX Bugs Allow Creating Admin Accounts and Run Malicious Code.
Cisco recently announced it had patched the critical security bugs in vManage and HyperFlex HX, which could have permitted remote attackers to run commands as root or create unauthorized administrator accounts.
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX and SD-WAN vManage could have allowed an unauthenticated, remote attacker to execute arbitrary code, escalate privileges, trigger DoS conditions, or access confidential data, the company notes.
The company has released a security update to fix high and medium severity vulnerabilities, saying that authenticated local attackers may take advantage of these flaws to obtain elevated privileges or unauthorized access to an attack-vulnerable program.
According to Cisco,
The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit the other vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerability.
The company rated the following three security issues as critical:
#1. CVE-2021-1468: Cisco SD-WAN vManage Cluster Mode Unauthorized Message Processing Vulnerability
Improper authentication checks on user-supplied input to an application messaging service is what caused this vulnerability. Threat actors could exploit it by submitting crafted input to the service. A successful exploit could allow the attacker to call privileged actions within the affected system, including creating new administrative-level user accounts.
#2. CVE-2021-1497: Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability
Insufficient validation of user-supplied input is the reason behind this flaw. Attackers could exploit it by sending a crafted request to the web-based management interface. A successful exploit could allow them to execute arbitrary commands on an affected device as the root user.
#3. CVE-2021-1498: Cisco HyperFlex HX Data Platform Command Injection Vulnerability
This vulnerability was also caused by insufficient validation of user-supplied input. Threat actors could exploit it by sending a crafted request to the web-based management interface. A successful exploit could allow the attacker to execute arbitrary commands on an affected device as the tomcat8 user.
According to the Cisco Product Security Incident Response Team (PSIRT), the vulnerabilities are not being actively exploited in the wild. The critical Cisco SD-WAN vManage flaws can only affect applications running in a cluster.
The company advises customers to check if the program is in cluster mode by looking at the Administration > Cluster Management view in the Cisco SD-WAN vManage web-based management GUI.