Cisco has addressed 2 critical security vulnerabilities in the SD-WAN vManage Software, 1 of which could allow an unauthenticated attacker to carry out remote code execution (RCE) on corporate networks or steal information.
They have rolled out patches for remote code-execution & command-injection security issues that could give attackers access.
Also, they disclosed a ‘denial-of-service’ issue in vManage; & locally exploitable bugs that would allow an authenticated attacker to escalate privileges or gain unauthorised access to applications.
Cisco patched 2 vulnerabilities too in the Cisco HyperFlex HX platform, 1 of them rated critical.
vManage Security Bugs
vManage is a centralised network management system that provides a GUI interface to easily monitor, configure & maintain all devices & links in the overlay SD-WAN. According to Cisco’s Wed. advisory, there are 5 security holes in the software, the first 4 only exploitable if the platform is running in cluster mode:
- CVE-2021-1468: Critical Unauthorised Message-Processing Vulnerability (RCE)
- CVE-2021-1505: Critical Privilege-Escalation Vulnerability
- CVE-2021-1508: High-Severity Unauthorised-Access Vulnerability
- CVE-2021-1506: High-Severity Unauthorised Services-Access Vulnerability
- CVE-2021-1275: High-Severity Denial-of-Service Vulnerability
The issue tracked as CVE-2021-1468 is the most severe of the 5, carrying a CVSS vulnerability-severity score of 9.8 out of 10. It exists in messaging service used by vManage & is due to improper authentication checks on user-supplied input to an application messaging service, according to Cisco.
Unauthenticated, remote adversaries could mount a cyber-attack by submitting crafted input to the service. That would allow them to call privileged actions within the affected system, including creating new administrative level user accounts, the advisory stated.
Meanwhile, the local privilege-escalation (LPE) bug tracked as CVE-2021-1505 has a CVSS score of 9.1. It exists in the web-based management interface of vManage and would allow an authenticated, remote attacker to bypass authorisation checking to gain elevated privileges within the system.
Bypass Authorisation Checking
Similarly, CVE-2021-1508, which has a CVSS score of 8.1, is an LPE bug that can also be found in the web-based management interface. It would also allow an authenticated, remote attacker to bypass authorisation checking in order to gain access to forbidden applications, make application modifications & also gain elevated privileges.
Both local bugs exist “because the affected software does not perform authorisation checks on certain operations,” according to Cisco.
A 3rd locally exploitable bug, CVE-2021-1506, carries a CVSS score of 7.2. It allows an authenticated, remote attacker to gain unauthorised access to services within an affected system, because the system does not perform authorisation checks on service access.
In all 3 local cases, an attacker could trigger exploits by sending crafted requests to the affected system.
Finally, the CVE-2021-1275 DoS flaw (CVSS score 7.5) exists in a vManage API. Attackers can send a large amount of API requests to a target system to tie it up & prevent it from functioning properly.
“The vulnerability is due to insufficient handling of API requests to the affected system,” according to Cisco.
Cisco Hyper Flex HX Command-Injection Bugs
The Hyper Flex HX software is used to manage hybrid IT environments by converging the oversight of the various applications that enterprises house within data centres – across both traditional & cloud-native/containerised applications.
Cisco said Wed. that multiple vulnerabilities in the platform’s web-based management interface could allow an unauthenticated, remote attacker to perform command-injection attacks against an affected device.
Cisco has patched 2 security bugs in Hyper Flex HX in total:
- CVE-2021-1497: Critical Installer Virtual Machine Command-Injection Vulnerability
- CVE-2021-1498: High-Severity Data Platform Command-Injection Vulnerability
The 1st is a critical flaw with a 9.8 CVSS rating,
“This vulnerability is due to insufficient validation of user-supplied input,” according to Cisco. “A successful exploit could allow the attacker to execute arbitrary commands on an affected device as the root user.”
The 2nd bug rates 7.2 on the CVSS scale & is due to insufficient validation of user-supplied input, according to Cisco, which added, “A successful exploit could allow the attacker to execute arbitrary commands on an affected device as the tomcat8 user.”
Both flaws can be exploited by sending a request to the web-based management interface.
These are just the latest bugs dealt with by the company this year. In Feb., Cisco addressed a critical vulnerability in its inter-site policy manager software for the Nexus 3000 Series switches & Nexus 9000 Series switches that could allow a remote attacker to bypass authentication.
Also, in Jan., it killed a high-severity flaw in its smart Wi-Fi solution for retailers that could allow a remote attacker to alter the password of any account user on affected systems.