Networking gear main Cisco has rolled out software program updates to deal with a number of crucial vulnerabilities impacting HyperFlex HX and SD-WAN vManage Software program that might permit an attacker to carry out command injection assaults, execute arbitrary code, and achieve entry to delicate info.
In a sequence of advisories printed on Could 5, the corporate stated there aren’t any workarounds that remediate the problems.
The HyperFlex HX command injection vulnerabilities, tracked as CVE-2021-1497 and CVE-2021-1498 (CVSS scores 9.8), have an effect on all Cisco gadgets operating HyperFlex HX software program variations 4.0, 4.5, and people previous to 4.0. Arising because of inadequate validation of user-supplied enter within the web-based administration interface of Cisco HyperFlex HX Knowledge Platform, the failings may allow an unauthenticated, distant attacker to carry out a command injection assault in opposition to a weak system.
“An attacker may exploit this vulnerability by sending a crafted request to the web-based administration interface,” the corporate said in its alert. “A profitable exploit may permit the attacker to execute arbitrary instructions” both as a root or tomcat8 consumer.
Cisco additionally squashed five glitches affecting SD-WAN vManage Software program (CVE-2021-1275, CVE-2021-1468, CVE-2021-1505, CVE-2021-1506, and CVE-2021-1508) that might allow an unauthenticated, distant attacker to execute arbitrary code or achieve entry to delicate info, or permit an authenticated, native attacker to realize escalated privileges or achieve unauthorized entry to the applying.
Nikita Abramov and Mikhail Klyuchnikov of Optimistic Applied sciences have been credited with reporting the HyperFlex HX, whereas 4 of the SD-WAN vManage bugs have been recognized throughout inside safety testing, with CVE-2021-1275 uncovered through the decision of a Cisco Technical Help Middle (TAC) assist case.
Whereas there isn’t a proof of malicious use of the vulnerabilities within the wild, it is advisable that customers improve to the newest model to mitigate the chance related to the failings.
VMware Fixes Vital vRealize Enterprise for Cloud Bug
It isn’t simply Cisco. VMware on Wednesday launched patches to repair a critical severity flaw in vRealize Enterprise for Cloud 7.6 that permits unauthenticated attackers to execute malicious code on weak servers remotely.
The distant code execution flaw (CVE-2021-21984, CVSS rating: 9.8) stems from an unauthorized VAMI endpoint, leading to a situation that might trigger an adversary with community entry to run unauthorized code on the equipment. Affected clients can rectify the problem by installing the safety patch ISO file.
Vmware credited Egor Dimitrenko of Optimistic Applied sciences for reporting the vulnerability.