SB2019022203 - Multiple vulnerabilities in Cisco HyperFlex
Published: February 22, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2019-1665)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform stored cross-site scripting (XSS) attacks.
The vulnerability exists in the web-based management interface due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) OS Command Injection (CVE-ID: CVE-2018-15380)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows an adjacent attacker to execute arbitrary shell commands on the target system.
The vulnerability exists in the cluster service manager due to insufficient input validation. An adjacent unauthenticated attacker can connect to the cluster service manager and inject commands into the bound process to run commands on the affected host as the root user..
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Security restrictions bypass (CVE-ID: CVE-2019-1667)
CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local unauthenticated attacker to bypass security restrictions on the target system.
The vulnerability exists in the Graphite interface due to insufficient authorization controls. A local unauthenticated attacker can connect to the Graphite service and send arbitrary data to bypass security restrictions and write arbitrary data to Graphite, which could result in invalid statistics being presented in the interface.
4) Privilege escalation (CVE-ID: CVE-2019-1664)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local unauthenticated attacker to gain elevated privileges on the target system.
The vulnerability exists in the hxterm service due to insufficient authentication controls. A local unauthenticated attacker can connect to the hxterm service as a non-privileged, local user and gain root access to all member nodes of the HyperFlex cluster.
5) Information disclosure (CVE-ID: CVE-2019-1666)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.
The vulnerability exists in the Graphite service due to insufficient authentication controls. A remote attacker can send specially crafted requests to the Graphite service and retrieve any statistics from the Graphite service.
Remediation
Install update from vendor's website.
References
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-hyper-xss
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-hyperflex-injection
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-hyper-write
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-chn-root-access
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-hyper-retrieve