Pierluigi Paganini February 22, 2019

Cisco released security patches that address more than a dozen issues in its products, including high severity flaws in HyperFlex, Prime Infrastructure, and Prime Collaboration Assurance.

Cisco released security patches that address more than a dozen issues in its products, including high severity vulnerabilities affecting HyperFlex, Prime Infrastructure, and Prime Collaboration Assurance.

Security updates fix two High risk security flaws in HyperFlex software.

The first one is a command injection vulnerability (CVE-2018-15380) in the cluster service manager of the application caused by insufficient input validation, it could be exploited by an attacker to run commands as the root user.

“A vulnerability in the cluster service manager of Cisco HyperFlex Software could allow an unauthenticated, adjacent attacker to execute commands as the root user.” reads the security advisory published by Cisco.

“The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by connecting to the cluster service manager and injecting commands into the bound process. A successful exploit could allow the attacker to run commands on the affected host as the root user.”

The second issue is an unauthenticated root access bug (CVE-2019-1664) in the hxterm service of the software caused insufficient authentication controls, it could allow an attacker to gain root access to all member nodes of the HyperFlex cluster.

“A vulnerability in the hxterm service of Cisco HyperFlex Software could allow an unauthenticated, local attacker to gain root access to all nodes in the cluster.” reads the advisory.

“The vulnerability is due to insufficient authentication controls. An attacker could exploit this vulnerability by connecting to the hxterm service as a non-privileged, local user. A successful exploit could allow the attacker to gain root access to all member nodes of the HyperFlex cluster.”

Both vulnerabilities affect the HyperFlex software releases prior to 3.5(2a).

Cisco addressed a High severity certificate validation bug in the Identity Services Engine (ISE) integration feature of Prime Infrastructure (PI). The flaw tracked as CVE-2019-1659, could be exploited by an unauthenticated, remote attacker to carry out man-in-the-middle attacks on the Secure Sockets Layer (SSL) tunnel established between ISE and PI.

The flaw is caused by improper validation of the server SSL certificate when an SSL tunnel is established between ISE and PI. The vulnerability affects Prime Infrastructure Software releases 2.2 through 3.4.0 when the PI server is integrated with ISE, that is disabled by default.

The tech giant also addressed another High risk bug (CVE-2019-1662) in the Quality of Voice Reporting (QOVR) service of Prime Collaboration Assurance (PCA) Software. The issue is caused by the insufficient authentication controls and could be exploited by an unauthenticated, remote attacker to access the system as a valid user. The vulnerability affects releases prior to 12.1 SP2.

Cisco also addressed a severity directory traversal vulnerability (CVE-2019-1681) in the TFTP service of Cisco Network Convergence System 1000 Series that could allow an unauthenticated, remote attacker to retrieve arbitrary files from the targeted device. The vulnerability affects IOS XR Software releases prior to 6.5.2 for Network Convergence System 1000 Series when the TFTP service is enabled.

Cisco also released security fixed for 11 Medium severity flaws in Webex Meetings Online, Webex Teams, Internet of Things Field Network Director (IoT-FND) Software, HyperFlex, Firepower Threat Defense, Firepower 9000 Series Firepower 2-Port 100G Double-Width Network Module Queue Wedge, Unity Connection, IP Phone 7800 and 8800 Series, and SPA112, SPA525, and SPA5X5 Series IP Phones.

The full list of Cisco Security Advisories and Alerts is available here.

Pierluigi Paganini

(SecurityAffairs – Cisco Hyperflex, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]