Cisco HyperFlex web interface has critical flaw that lets attackers get
root and execute arbitrary commands
You know the drill: shake your head in disbelief, then figure out if patching will wipe out a weekend or be merely inconvenient
Cisco has revealed a pair of critical bugs in its HyperFlex hyperconverged infrastructure product.
CVE-2021-1497 impacts the HyperFlex HX Installer Virtual Machine and means an unauthenticated, remote attacker could perform a command injection attack on a web management console that gives them
root access and allows them to execute arbitrary commands on an affected device.
CVE-2021-1498 also allows an attacker to use command injection on the management interface, with login as the
tomcat8 user. Again, execution of arbitrary commands is on offer.
Cisco’s advisory gives the same explanation for both flaws:
This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface.
CVE-2021-1497 is rated 9.8 on the ten-point Common Vulnerability Scoring System. CVE-2021-1498 is a mere 7.3.
HyperFlex versions pre-4.0, 4.0, and 4.5 are all impacted by one or both flaws. Migration to a patched version of the software is the fix.
- We need to talk about criminal adversaries who want you to eat undercooked onion rings
- Cisco issues blizzard of end-of-life notices for Nexus 3K and 7K switches
- Cisco Webex bug allowed anyone to join a password-protected meeting
- Cisco warns VMware vCenter bug puts hyperconverged tin in ‘unrecoverable’ state
Cisco suggests HyperFlex as multi-hypervisor converged infrastructure that can run in the mightiest data centre or weirdest edge location. The HX VM is used to install and manage VMs, so the flaws have enormous potential for a miscreant to go on a rampage.
Thankfully, Cisco says it’s not seen the flaws exploited in the wild. Nikita Abramov and Mikhail Klyuchnikov of Positive Technologies reported the vulnerabilities. ®