Cisco Patches High Severity Flaws in HyperFlex, Prime Infrastructure
Cisco this week released patches for more than a dozen vulnerabilities across its product portfolio, including high severity flaws in HyperFlex, Prime Infrastructure, and Prime Collaboration Assurance.
Two High risk security bugs were addressed in HyperFlex software, namely a command injection issue in the cluster service manager of the application, and an unauthenticated root access flaw in the hxterm service of the software.
Created by insufficient input validation and insufficient authentication controls, respectively, the vulnerabilities could allow an attacker to run commands as the root user or gain root access to all member nodes of the HyperFlex cluster.
Tracked as CVE-2018-15380 and CVE-2019-1664, both vulnerabilities were found to impact HyperFlex software releases prior to 3.5(2a).
Another High severity bug that Cisco addressed this week is a certificate validation bug in the Identity Services Engine (ISE) integration feature of Prime Infrastructure (PI). An unauthenticated, remote attacker could exploit the flaw to perform a man-in-the-middle attack against the Secure Sockets Layer (SSL) tunnel established between ISE and PI.
Tracked as CVE-2019-1659, the issue is created by improper validation of the server SSL certificate when establishing the SSL tunnel with ISE. The flaw impacts Prime Infrastructure Software releases 2.2 through 3.4.0 when the PI server is integrated with ISE, which is disabled by default.
Another High risk bug was found in the Quality of Voice Reporting (QOVR) service of Prime Collaboration Assurance (PCA) Software releases prior to 12.1 SP2. Tracked as CVE-2019-1662 and created due to insufficient authentication controls, the issue could allow an unauthenticated, remote attacker to access the system as a valid user.
The TFTP service of Cisco Network Convergence System 1000 Series software was found vulnerable to a High severity directory traversal vulnerability (CVE-2019-1681) that could allow an unauthenticated, remote attacker to retrieve arbitrary files from the targeted device. The bug impacts IOS XR Software releases prior to 6.5.2 for Network Convergence System 1000 Series when the TFTP service is enabled.
Cisco also released patches for 11 Medium severity vulnerabilities impacting Webex Meetings Online, Webex Teams, Internet of Things Field Network Director (IoT-FND) Software, HyperFlex, Firepower Threat Defense, Firepower 9000 Series Firepower 2-Port 100G Double-Width Network Module Queue Wedge, Unity Connection, IP Phone 7800 and 8800 Series, and SPA112, SPA525, and SPA5X5 Series IP Phones.
Additionally, Cisco revealed that, while investigation to determine which products are affected continues, the recently discovered container escape vulnerability (CVE-2019-5736) does impact Cisco Container Platform and Cisco Defense Orchestrator. Exploit code for the flaw was made public as well.