Security News > 2021 > May > Critical Flaws Hit Cisco SD-WAN vManage and HyperFlex Software
Networking equipment major Cisco has rolled out software updates to address multiple critical vulnerabilities impacting HyperFlex HX and SD-WAN vManage Software that could allow an attacker to perform command injection attacks, execute arbitrary code, and gain access to sensitive information.
The HyperFlex HX command injection vulnerabilities, tracked as CVE-2021-1497 and CVE-2021-1498, affect all Cisco devices running HyperFlex HX software versions 4.0, 4.5, and those prior to 4.0.
Arising due to insufficient validation of user-supplied input in the web-based management interface of Cisco HyperFlex HX Data Platform, the flaws could enable an unauthenticated, remote attacker to perform a command injection attack against a vulnerable device.
Cisco also squashed five glitches affecting SD-WAN vManage Software that could permit an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application.
Nikita Abramov and Mikhail Klyuchnikov of Positive Technologies have been credited with reporting the HyperFlex HX flaws, whereas four of the SD-WAN vManage bugs were identified during internal security testing, with CVE-2021-1275 uncovered during the resolution of a Cisco Technical Assistance Center support case.
VMware on Wednesday released patches to fix a critical severity flaw in vRealize Business for Cloud 7.6 that enables unauthenticated attackers to execute malicious code on vulnerable servers remotely.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-05-06 | CVE-2021-1498 | Command Injection vulnerability in Cisco Hyperflex HX Data Platform Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. | 9.8 |
2021-05-06 | CVE-2021-1497 | OS Command Injection vulnerability in Cisco Hyperflex HX Data Platform Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. | 9.8 |
2021-05-06 | CVE-2021-1275 | Resource Exhaustion vulnerability in Cisco Catalyst Sd-Wan Manager and Sd-Wan Vmanage Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application. | 7.5 |