Main Vulnerability Database Vulnerabilities #VU17834

OS Command Injection in Cisco HyperFlex - CVE-2018-15380

Published: February 22, 2019

Vulnerability identifier: #VU17834

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2018-15380

CWE-ID: CWE-78

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vendor: Cisco Systems, Inc

Affected software:
Cisco HyperFlex

Detailed vulnerability description

The vulnerability allows an adjacent attacker to execute arbitrary shell commands on the target system.

The vulnerability exists in the cluster service manager due to insufficient input validation. An adjacent unauthenticated attacker can connect to the cluster service manager and inject commands into the bound process to run commands on the affected host as the root user..

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

How to mitigate CVE-2018-15380

Update to version 3.5(2a).

Sources

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-hyperflex-injection

OS Command Injection in Cisco HyperFlex - CVE-2018-15380

Detailed vulnerability description

How to mitigate CVE-2018-15380

Sources

Please verify you're human