Cisco has addressed two critical security vulnerabilities in the SD-WAN vManage Software, one of which could allow an unauthenticated attacker to carry out remote code execution (RCE) on corporate networks or steal information.
The networking giant also disclosed a denial-of-service issue in vManage; and locally exploitable bugs that would allow an authenticated attacker to escalate privileges or gain unauthorized access to applications.
Separately, Cisco patched two vulnerabilities in the Cisco HyperFlex HX platform, one of them rated critical.
Critical vManage Security Bugs
vManage is a centralized network management system that provides a GUI interface to easily monitor, configure and maintain all devices and links in the overlay SD-WAN. According to Cisco’s Wednesday advisory, there are five security holes in the software, the first four only exploitable if the platform is running in cluster mode:
- CVE-2021-1468: Critical Unauthorized Message-Processing Vulnerability (RCE)
- CVE-2021-1505: Critical Privilege-Escalation Vulnerability
- CVE-2021-1508: High-Severity Unauthorized-Access Vulnerability
- CVE-2021-1506: High-Severity Unauthorized Services-Access Vulnerability
- CVE-2021-1275: High-Severity Denial-of-Service Vulnerability
The issue tracked as CVE-2021-1468 is the most severe of the five, carrying a CVSS vulnerability-severity score of 9.8 out of 10. It exists in messaging service used by vManage, and is due to improper authentication checks on user-supplied input to an application messaging service, according to Cisco.
Unauthenticated, remote adversaries could mount a cyberattack by submitting crafted input to the service. That would allow them to call privileged actions within the affected system, including creating new administrative level user accounts, the advisory said.
Meanwhile, the local privilege-escalation (LPE) bug tracked as CVE-2021-1505 has a CVSS score of 9.1. It exists in the web-based management interface of vManage and would allow an authenticated, remote attacker to bypass authorization checking to gain elevated privileges within the system.
Similarly, CVE-2021-1508, which has a CVSS score of 8.1, is an LPE bug that can also be found in the web-based management interface. It would also allow an authenticated, remote attacker to bypass authorization checking in order to gain access to forbidden applications, make application modifications and also gain elevated privileges.
Both local bugs exist “because the affected software does not perform authorization checks on certain operations,” according to Cisco.
A third locally exploitable bug, CVE-2021-1506, carries a CVSS score of 7.2. It allows an authenticated, remote attacker to gain unauthorized access to services within an affected system, because the system doesn’t perform authorization checks on service access.
And in all three local cases, an attacker could trigger exploits by sending crafted requests to the affected system.
And finally, the CVE-2021-1275 DoS flaw (CVSS score 7.5) exists in a vManage API. Attackers can send a large amount of API requests to a target system to tie it up and prevent it from functioning properly.
“The vulnerability is due to insufficient handling of API requests to the affected system,” according to Cisco.
Cisco HyperFlex HX Command-Injection Bugs
The HyperFlex HX software is used to manage hybrid IT environments by converging the oversight of the various applications that enterprises house within data centers – across both traditional and cloud-native/containerized applications.
Cisco said Wednesday that multiple vulnerabilities in the platform’s web-based management interface could allow an unauthenticated, remote attacker to perform command-injection attacks against an affected device.
Cisco has patched two security bugs in HyperFlex HX in total:
- CVE-2021-1497: Critical Installer Virtual Machine Command-Injection Vulnerability
- CVE-2021-1498: High-Severity Data Platform Command-Injection Vulnerability
The first is a critical flaw with a 9.8 CVSS rating,
“This vulnerability is due to insufficient validation of user-supplied input,” according to Cisco. “A successful exploit could allow the attacker to execute arbitrary commands on an affected device as the root user.”
The second bug rates 7.2 on the CVSS scale, and is due to insufficient validation of user-supplied input, according to Cisco, which added, “A successful exploit could allow the attacker to execute arbitrary commands on an affected device as the tomcat8 user.”
Both flaws can be exploited by sending a crafted request to the web-based management interface.
These are just the latest bugs addressed by the tech behemoth this year. In February, Cisco addressed a critical vulnerability in its intersite policy manager software for the Nexus 3000 Series switches and Nexus 9000 Series switches that could allow a remote attacker to bypass authentication. And in January, it killed a high-severity flaw in its smart Wi-Fi solution for retailers that could allow a remote attacker to alter the password of any account user on affected systems.
Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.