Cisco released security updates for high and moderate severity vulnerabilities in multiple Cisco products, to include HyperFlex and Prime infrastructure. The company also issued an updated advisory for the open container runc vulnerability and latest products impacted.
Two of the Cisco patches address high severity vulnerabilities in HyperFlex software.
One of those fixes address a command injection vulnerability (CVE-2018-15380) in the cluster service manager of Cisco HyperFlex Software and is caused by insufficient input validation. The CVSS score is rated 8.8, just a notch below critical.
“An attacker could exploit this vulnerability by connecting to the cluster service manager and injecting commands into the bound process. A successful exploit could allow the attacker to run commands on the affected host as the root user,” Cisco noted in the advisory.
The other HyperFlex patch addresses an unauthenticated root access vulnerability (CVE-2019-1664) in the hxterm service of Cisco HyperFlex Software. An unauthenticated, local attacker could exploit this bug to gain root access to all nodes in the cluster.
Two of the other Cisco patches address high severity Prime infrastructure and software vulnerabilities.
One of the Prime fixes address an unauthenticated access vulnerability (CVE-2019-1662) in the Quality of Voice Reporting (QOVR) service of Cisco Prime Collaboration Assurance (PCA) Software. An unauthenticated, remote attacker could exploit this bug to access the system as a valid user.
The second Prime update fixes a certificate validation vulnerability (CVE-2019-1659) in the Identity Services Engine (ISE) integration feature of Cisco Prime Infrastructure (PI). A remote unauthenticated hacker could perform a man-in-the-middle attack against the Secure Sockets Layer (SSL) tunnel established between ISE and PI.
Cisco also patched a high severity directory traversal vulnerability (CVE-2019-1681) in the TFTP service of Cisco Network Convergence System 1000 Series software. An unauthenticated, remote attacker could exploit this bug to retrieve arbitrary files from the targeted device, possibly resulting in information disclosure.
The company provided an updated security advisory for products impacted by the previously disclosed vulnerability (CVE-2019-5736) in the Open Container Initiative runc CLI tool. used by multiple products could allow an unauthenticated, remote attacker to escalate privileges on a targeted system.
Eleven other Medium risk vulnerabilities were also patched for multiple products to include Cisco Webex (Meetings and Teams), IoT software, HyperFlex, IP Phone (multiple models), and Firepower to name a few.
Patching should be a high priority to address these bugs.