Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Cisco Patches High Severity Flaws in HyperFlex, Prime Infrastructure

Cisco this week released patches for more than a dozen vulnerabilities across its product portfolio, including high severity flaws in HyperFlex, Prime Infrastructure, and Prime Collaboration Assurance. 

Cisco this week released patches for more than a dozen vulnerabilities across its product portfolio, including high severity flaws in HyperFlex, Prime Infrastructure, and Prime Collaboration Assurance. 

Two High risk security bugs were addressed in HyperFlex software, namely a command injection issue in the cluster service manager of the application, and an unauthenticated root access flaw in the hxterm service of the software.  

Created by insufficient input validation and insufficient authentication controls, respectively, the vulnerabilities could allow an attacker to run commands as the root user or gain root access to all member nodes of the HyperFlex cluster.

Tracked as CVE-2018-15380 and CVE-2019-1664, both vulnerabilities were found to impact HyperFlex software releases prior to 3.5(2a).

Another High severity bug that Cisco addressed this week is a certificate validation bug in the Identity Services Engine (ISE) integration feature of Prime Infrastructure (PI). An unauthenticated, remote attacker could exploit the flaw to perform a man-in-the-middle attack against the Secure Sockets Layer (SSL) tunnel established between ISE and PI.

Tracked as CVE-2019-1659, the issue is created by improper validation of the server SSL certificate when establishing the SSL tunnel with ISE. The flaw impacts Prime Infrastructure Software releases 2.2 through 3.4.0 when the PI server is integrated with ISE, which is disabled by default.

Another High risk bug was found in the Quality of Voice Reporting (QOVR) service of Prime Collaboration Assurance (PCA) Software releases prior to 12.1 SP2. Tracked as CVE-2019-1662 and created due to insufficient authentication controls, the issue could allow an unauthenticated, remote attacker to access the system as a valid user.

The TFTP service of Cisco Network Convergence System 1000 Series software was found vulnerable to a High severity directory traversal vulnerability (CVE-2019-1681) that could allow an unauthenticated, remote attacker to retrieve arbitrary files from the targeted device. The bug impacts IOS XR Software releases prior to 6.5.2 for Network Convergence System 1000 Series when the TFTP service is enabled.

Advertisement. Scroll to continue reading.

Cisco also released patches for 11 Medium severity vulnerabilities impacting Webex Meetings Online, Webex Teams, Internet of Things Field Network Director (IoT-FND) Software, HyperFlex, Firepower Threat Defense, Firepower 9000 Series Firepower 2-Port 100G Double-Width Network Module Queue Wedge, Unity Connection, IP Phone 7800 and 8800 Series, and SPA112, SPA525, and SPA5X5 Series IP Phones. 

Additionally, Cisco revealed that, while investigation to determine which products are affected continues, the recently discovered container escape vulnerability (CVE-2019-5736) does impact Cisco Container Platform and Cisco Defense Orchestrator. Exploit code for the flaw was made public as well. 

Related: Cisco Patches Serious DoS Flaws in Email Security Appliance

Related: Cisco Patches Privilege Escalation Vulnerability in Adaptive Security Appliance

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.