Cisco patches vulnerabilities in HyperFlex HX, SD-WAN and other products

Cisco patches vulnerabilities in HyperFlex HX and SD-WAN

Cisco has patched multiple vulnerabilities in HyperFlex HX, Cisco SD-WAN, Small Business routers and other network products. Two of the advisories are rated Critical.

An attacker could remotely exploit some of these vulnerabilities to take control of an impacted system.

HyperFlex HX vulnerabilities

Cisco patched two HyperFlex HX software vulnerabilities (CVE-2021-1497 and CVE-2021-1498) on May 7, 2021. The vulnerabilities could allow an unauthenticated, remote attacker to perform command injection attacks against an affected system.

The fixed HyperFlex vulnerabilities (and CVSS score) include:

  • CVE-2021-1497: Critical Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability (CVSS score 9.8)
  • CVE-2021-1498: High Cisco HyperFlex HX Data Platform Command Injection Vulnerability (CVSS score 7.3).

In addition, Cisco also fixed a Medium rated HyperFlex HX Data Platform File Upload Vulnerability CVE-2021-1499. This vulnerability is due to missing authentication for the upload function, which could allow an unauthenticated attacker to upload files to an affected device.

SD-WAN vulnerabilities

Cisco patched multiple Critical and High risk SD-WAN vManage software vulnerabilities on May 5, 2021. The vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary code or allow an authenticated, local attacker to gain escalated privileges on an affected system.

Five of the fixed SD-WAN vManage vulnerabilities (and CVSS score) include:

  • CVE-2021-1468: Critical Cisco SD-WAN vManage Cluster Mode Unauthorized Message Processing Vulnerability (CVSS score 9.8)
  • CVE-2021-1505: Critical Cisco SD-WAN vManage Cluster Mode Privilege Escalation Vulnerability (CVSS score 9.1)
  • CVE-2021-1508: High Cisco SD-WAN vManage Cluster Mode Unauthorized Access Vulnerability (CVSS score 8.1)
  • CVE-2021-1275: High Cisco SD-WAN vManage Denial of Service Vulnerability (CVSS score 8.1)
  • CVE-2021-1506: High Cisco SD-WAN vManage Cluster Mode Unauthorized Services Access Vulnerability (CVSS score 7.2).

Cisco also addressed an SD-WAN vManage Software Authentication Bypass Vulnerability CVE-2021-1284 as part of a separate High severity advisory.

Moreover, the networking giant also patched SD-WAN Software vDaemon and SD-WAN vEdge Software vulnerabilities.

Other product vulnerabilities

Finally, Cisco also published the following High severity security advisories on May 5:

Readers can check out more details on these and other vulnerabilities on the Cisco Security Advisories page.

Related Articles