Cisco has released fixes for a bunch of security vulnerabilities affecting various products. This includes 16 medium and high-severity rating flaws. Two of these vulnerabilities affected Cisco HyperFlex Software that could allow root access to an attacker. Fortunately, no critical vulnerabilities were reported. Cisco warns users to ensure updates to devices utilise the latest patched versions.
Multiple Vulnerabilities Patched In Cisco HyperFlex
This week, Cisco has rolled-out patches for multiple security flaws affecting Cisco Hyperflex. These include two high-severity vulnerabilities that could let an attacker gain root access.
The first of these vulnerabilities CVE-2018-15380 existed in the cluster service manager of the software. As described by Cisco in its advisory,
“The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by connecting to the cluster service manager and injecting commands into the bound process. A successful exploit could allow the attacker to run commands on the affected host as the root user.”
Whereas, the other high severity vulnerability CVE-2019-1664 existed in the hxterm service. About it, Cisco described,
“The vulnerability is due to insufficient authentication controls. An attacker could exploit this vulnerability by connecting to the hxterm service as a non-privileged, local user. A successful exploit could allow the attacker to gain root access to all member nodes of the HyperFlex cluster.”
Cisco has patched both these vulnerabilities in the latest Cisco HyperFlex Release 3.5(2a).
Besides, Cisco has also patched three medium severity flaws in the same software. These include a cross-site scripting vulnerability (CVE-2019-1665), an Unauthenticated Statistics Retrieval Vulnerability (CVE-2019-1666), and arbitrary statistics write vulnerability (CVE-2019-1667).
Flaws Patched In Other Cisco Products
Apart from the above five vulnerabilities, Cisco also released fixes for 11 other security bugs. These include a content injection vulnerability in the Cisco Webex Meetings Online reported by Prasenjit Kanti Paul. This medium severity vulnerability CVE-2019-1680 existed due to improper input validation. Upon exploit, it could let an attacker inject arbitrary text in the target device’s browser. Allegedly, it affected all Cisco Webex Meetings Online versions before v.1.3.42.
Another noteworthy flaw (CVE-2019-1683) reported by Jan Dubový affected the certificate handling component of certain Cisco IP Phones.
In addition, Cisco fixed three high severity vulnerabilities affecting Network Convergence System 1000 Series (CVE-2019-1681), Cisco Prime Collaboration Assurance (PCA) Software (CVE-2019-1662), and Cisco Prime Infrastructure(IP) (CVE-2019-1659).
Whereas, the other products receiving fixes include Webex Teams for iOS, IoT Field Network Director, Firepower Threat Defense Software, Firepower 9000 Series, Cisco Unity Connection, and Cisco IP Phone 7800 and 8800 Series.
The vendors confirm no active exploitations of these bugs. Users of all these products should ensure updating their systems to stay protected from potential security threats.