Check yo self before you HyperWreck yo self: Cisco fixes gimme-root holes in HyperFlex, plus more security bugs

Patches available now spread across more than a dozen advisories

Cisco emitted on Wednesday a bunch of security updates that, your support contract willing, you should test and roll out to installations as soon as possible.

There are 17 advisories in all, including revised versions of previously issues bulletins, with six marked as high in terms of severity and the rest medium. The worst of the lot grants root access to a local attacker, closely followed by another that allows any remote miscreant in without authorization.

Here's a summary of the high-severity security blunders:

  • CVE-2018-15380: Cisco HyperFlex Software Command Injection Vulnerability

    A logged-in rogue user can execute commands as the root superuser without authentication. "An attacker could exploit this vulnerability by connecting to the cluster service manager and injecting commands into the bound process," says Cisco. "A successful exploit could allow the attacker to run commands on the affected host as the root user."

  • CVE-2019-1664: Cisco HyperFlex Software Unauthenticated Root Access Vulnerability

    A logged-in miscreant can gain root access to all nodes in a Cisco HyperFlex Software cluster without authentication. "An attacker could exploit this vulnerability by connecting to the hxterm service as a non-privileged, local user," Switchzilla explained. "A successful exploit could allow the attacker to gain root access to all member nodes of the HyperFlex cluster."

  • CVE-2019-5736: Container Privilege Escalation Vulnerability Affecting Cisco Products

    This is a patch for Docker's give-me-root runc hole, which we previously reported, that affects Cisco products. This is version 1.2 of an earlier advisory, with more Switchzilla gear now listed as being vulnerable to the privilege-escalation flaw.

  • CVE-2019-1659: Cisco Prime Infrastructure Certificate Validation Vulnerability

    An unauthenticated man-in-the-middle attacker can intercept, decrypt, and snoop on the SSL-encrypted tunnel between Cisco's Identity Services Engine (ISE) and Cisco Prime Infrastructure.

  • CVE-2019-1662: Cisco Prime Collaboration Assurance Software Unauthenticated Access Vulnerability

    An unauthenticated, remote attacker can access installations of Cisco's Quality of Voice Reporting (QOVR) service of Switchzilla's Prime Collaboration Assurance (PCA) Software as a valid user.

  • CVE-2019-1681: Cisco Network Convergence System 1000 Series TFTP Directory Traversal Vulnerability

    An unauthenticated, remote attacker can download arbitrary files from the TFTP service of Cisco Network Convergence System 1000 Series software, possibly resulting in the disclosure of potentially sensitive information.

The remaining medium-severity holes include a Webex Teams for iOS Arbitrary File Upload Vulnerability (CVE-2019-1689), IoT Field Network Director XML External Entity Vulnerability (CVE-2019-1698), Hyperflex Stored Cross-Site Scripting Vulnerability (CVE-2019-1665), and a Cisco Unity Connection Reflected Cross-Site Scripting Vulnerability (CVE-2019-168).

Interestingly enough, the Cisco Firepower 9000 Series with the Cisco Firepower 2-port 100G double-width network module can be crashed (CVE-2019-1700) by sending it maliciously crafted network packets from an adjacent subnet. This causes its FPGA, a chip that can have its circuitry rewired pretty much as desired, to lose the plot, and stuff the machine sideways.

"The vulnerability is due to a logic error in the FPGA related to the processing of different types of input packets," says Switchzilla. "An attacker could exploit this vulnerability by being on the adjacent subnet and sending a crafted sequence of input packets to a specific interface on an affected device."

That must have been an interesting bug to find and fix, we reckon. It was found while diagnosing a customer support query, we're told. ®

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019