Cisco has patched multiple vulnerabilities in HyperFlex HX, Cisco SD-WAN, Small Business routers and other network products. Two of the advisories are rated Critical.
An attacker could remotely exploit some of these vulnerabilities to take control of an impacted system.
HyperFlex HX vulnerabilities
Cisco patched two HyperFlex HX software vulnerabilities (CVE-2021-1497 and CVE-2021-1498) on May 7, 2021. The vulnerabilities could allow an unauthenticated, remote attacker to perform command injection attacks against an affected system.
The fixed HyperFlex vulnerabilities (and CVSS score) include:
- CVE-2021-1497: Critical Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability (CVSS score 9.8)
- CVE-2021-1498: High Cisco HyperFlex HX Data Platform Command Injection Vulnerability (CVSS score 7.3).
In addition, Cisco also fixed a Medium rated HyperFlex HX Data Platform File Upload Vulnerability CVE-2021-1499. This vulnerability is due to missing authentication for the upload function, which could allow an unauthenticated attacker to upload files to an affected device.
Cisco patched multiple Critical and High risk SD-WAN vManage software vulnerabilities on May 5, 2021. The vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary code or allow an authenticated, local attacker to gain escalated privileges on an affected system.
Five of the fixed SD-WAN vManage vulnerabilities (and CVSS score) include:
- CVE-2021-1468: Critical Cisco SD-WAN vManage Cluster Mode Unauthorized Message Processing Vulnerability (CVSS score 9.8)
- CVE-2021-1505: Critical Cisco SD-WAN vManage Cluster Mode Privilege Escalation Vulnerability (CVSS score 9.1)
- CVE-2021-1508: High Cisco SD-WAN vManage Cluster Mode Unauthorized Access Vulnerability (CVSS score 8.1)
- CVE-2021-1275: High Cisco SD-WAN vManage Denial of Service Vulnerability (CVSS score 8.1)
- CVE-2021-1506: High Cisco SD-WAN vManage Cluster Mode Unauthorized Services Access Vulnerability (CVSS score 7.2).
Cisco also addressed an SD-WAN vManage Software Authentication Bypass Vulnerability CVE-2021-1284 as part of a separate High severity advisory.
Other product vulnerabilities
Finally, Cisco also published the following High severity security advisories on May 5:
- Cisco Small Business 100, 300, and 500 Series Wireless Access Points Vulnerabilities
- Cisco Enterprise NFV Infrastructure Software Command Injection Vulnerability
- Cisco Unified Communications Manager IM & Presence Service SQL Injection Vulnerabilities
- Cisco AnyConnect Secure Mobility Client for Windows DLL and Executable Hijacking Vulnerabilities.
Readers can check out more details on these and other vulnerabilities on the Cisco Security Advisories page.