SB2019022203 - Multiple vulnerabilities in Cisco HyperFlex

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2019-1665)

The disclosed vulnerability allows a remote attacker to perform stored cross-site scripting (XSS) attacks.

The vulnerability exists in the web-based management interface due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) OS Command Injection (CVE-ID: CVE-2018-15380)

The vulnerability allows an adjacent attacker to execute arbitrary shell commands on the target system.

The vulnerability exists in the cluster service manager due to insufficient input validation. An adjacent unauthenticated attacker can connect to the cluster service manager and inject commands into the bound process to run commands on the affected host as the root user..

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

3) Security restrictions bypass (CVE-ID: CVE-2019-1667)

The vulnerability allows a local unauthenticated attacker to bypass security restrictions on the target system.

The vulnerability exists in the Graphite interface due to insufficient authorization controls. A local unauthenticated attacker can connect to the Graphite service and send arbitrary data to bypass security restrictions and write arbitrary data to Graphite, which could result in invalid statistics being presented in the interface.

4) Privilege escalation (CVE-ID: CVE-2019-1664)

The vulnerability allows a local unauthenticated attacker to gain elevated privileges on the target system.

The vulnerability exists in the hxterm service due to insufficient authentication controls. A local unauthenticated attacker can connect to the hxterm service as a non-privileged, local user and gain root access to all member nodes of the HyperFlex cluster.

5) Information disclosure (CVE-ID: CVE-2019-1666)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.

The vulnerability exists in the Graphite service due to insufficient authentication controls. A remote attacker can send specially crafted requests to the Graphite service and retrieve any statistics from the Graphite service.

Remediation

Install update from vendor's website.

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-hyper-xss
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-hyperflex-injection
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-hyper-write
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-chn-root-access
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-hyper-retrieve