Security News > 2021 > May > Critical Flaws Hit Cisco SD-WAN vManage and HyperFlex Software

Critical Flaws Hit Cisco SD-WAN vManage and HyperFlex Software
2021-05-06 18:50

Networking equipment major Cisco has rolled out software updates to address multiple critical vulnerabilities impacting HyperFlex HX and SD-WAN vManage Software that could allow an attacker to perform command injection attacks, execute arbitrary code, and gain access to sensitive information.

The HyperFlex HX command injection vulnerabilities, tracked as CVE-2021-1497 and CVE-2021-1498, affect all Cisco devices running HyperFlex HX software versions 4.0, 4.5, and those prior to 4.0.

Arising due to insufficient validation of user-supplied input in the web-based management interface of Cisco HyperFlex HX Data Platform, the flaws could enable an unauthenticated, remote attacker to perform a command injection attack against a vulnerable device.

Cisco also squashed five glitches affecting SD-WAN vManage Software that could permit an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application.

Nikita Abramov and Mikhail Klyuchnikov of Positive Technologies have been credited with reporting the HyperFlex HX flaws, whereas four of the SD-WAN vManage bugs were identified during internal security testing, with CVE-2021-1275 uncovered during the resolution of a Cisco Technical Assistance Center support case.

VMware on Wednesday released patches to fix a critical severity flaw in vRealize Business for Cloud 7.6 that enables unauthenticated attackers to execute malicious code on vulnerable servers remotely.


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/-BIP1Yle3j8/critical-flaws-hit-cisco-sd-wan-vmanage.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-05-06 CVE-2021-1498 Command Injection vulnerability in Cisco Hyperflex HX Data Platform
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
network
low complexity
cisco CWE-77
critical
9.8
2021-05-06 CVE-2021-1497 OS Command Injection vulnerability in Cisco Hyperflex HX Data Platform
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
network
low complexity
cisco CWE-78
critical
9.8
2021-05-06 CVE-2021-1275 Resource Exhaustion vulnerability in Cisco Catalyst Sd-Wan Manager and Sd-Wan Vmanage
Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application.
network
low complexity
cisco CWE-400
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Cisco 2046 21 1773 1669 288 3751