Cisco has revealed that there are some critical bugs in its HyperFlex hyperconverged infrastructure product. CVE-2021-1497 affects the HyperFlex HX Installer Virtual Machine and means a remote hacker could perform a command injection attack.
The attack would be targeted to hit a web management console and allow root access. From that point on, it is easy to execute some commands on the affected device.
The flaw also allows a potential hacker to use command injection on the management interface, with login as the tomcat8 user. The potential to execute arbitrary commands is also availed.
The flaws explained
For both flaws, Cisco gives the same advisory. In it, they say that the vulnerability is due to insufficient validation of user-supplied input. A hacker could exploit this flaw by sending a crafted request to the web-based management interface.
CVE-2021-1497 is rated 9.8 on the Common Vulnerability Scoring System. In comparison, CVE-2021-1498 is only a 7.3.
HyperFlex versions before 4.0, 4.0, and 4.5 are all affected by either one or both flaws. The fix for this vulnerability is to migrate to a patched version of the software.
No exploitation seen in the wild
Cisco sells HyperFlex as the ultimate multi-hypervisor converged infrastructure that can run in the biggest data centers or most complex edge locations. The HX VM is used to install and manage virtual machines, meaning that the potential damage from the exploitation of both flaws could be devastating if a criminal decides to go on a rampage.
There is hope though since Cisco has said that it has not seen exploitation of the flaws in the wild. Nikita Abramov and Mikhail Klyuchhnikov of Positive Technologies discovered and reported the vulnerabilities.