Cisco fixes risky flaws in HyperFlex and Prime infrastructure
Cisco has released another batch of fixes for many of its products, including HyperFlex, Prime infrastructure, WebEx, and Firepower devices.
Fixed HyperFlex bugs
Five of the patched vulnerabilities affect Cisco HyperFlex Software, software running on Cisco HyperFlex HX-Series data center nodes.
Two of them are high risk security holes:
- CVE-2018-15380 could allow an unauthenticated, adjacent attacker to run commands on the affected host as the root user
- CVE-2019-1664 could allow an unauthenticated, local attacker to gain root access to all nodes of the HyperFlex cluster.
The remaining three flaws are less serious and mostly allow attackers to access/retrieve potentially sensitive information.
The remaining fixes
Among the other risky bugs squashed are CVE-2019-1659, a certificate validation vulnerability in Cisco Prime Infrastructure that could allow an unauthenticated, remote attacker to perform a man-in-the-middle attack against the Secure Sockets Layer (SSL) tunnel established between the Identity Services Engine (ISE) and Prime Infrastructure (PI), and CVE-2019-1662, a vulnerability in the Quality of Voice Reporting service of Cisco Prime Collaboration Assurance Software could allow an unauthenticated, remote attacker to access the system as a valid user.
“An attacker could exploit [CVE-2019-1659] by using a crafted SSL certificate and could then intercept communications between the ISE and PI. A successful exploit could allow the attacker to view and alter potentially sensitive information that the ISE maintains about clients that are connected to the network,” Cisco explained.
Also important to note that the recently revealed RunC container escape bug has, so far, been found to affect only the Cisco Container Platform and Cisco Defense Orchestrator (though fixes are yet to be pushed out).
Many other products have been confirmed to not be vulnerable, and others are still under investigation.
All the released security advisories can be found here. Cisco says that none of the plugged holes are under active exploitation.