Vulnerabilities discovered in Cisco IT infrastructure deployment solution
Three vulnerabilities in Cisco HyperFlex HX have been discovered by researchers at Positive Technologies.
The Cisco HyperFlex HX is a hyperconverged platform for building IT infrastructure from scratch. In 2019 it was named the leader in the Gartner Magic Quadrant for Hyperconverged Infrastructure.
Researchers Nikita Abramov and Mikhail Klyuchnikov discovered the flaw.
“These vulnerabilities can negatively affect the internal infrastructure of an enterprise, leading to disruption of its operation," says Abramov.
"Hyperconverged systems are basically out-of-the-box data centers, combining storage systems, servers, network functions, and software into one module," she says.
"By exploiting the flaws, attackers can access an organisation’s entire infrastructure management system and affect its performance, delete important files, disrupt business processes, and erase backup systems with critical data—scenarios are limited only by the attacker's imagination.”
According to Positive Technologies, in order to successfully exploit the vulnerabilities, an attacker only needs to gain access to the web interface of the device and send a specific request. Special rights, permissions, or authentication are not required.
"It’s difficult to estimate the number of vulnerable devices, since this type of equipment is most often located on an organisation’s internal network. From a technical point of view, these are logic bugs; they often occur due to inattentiveness of the developer and insufficient testing of the code at the development stage," the researchers explain.
Cisco has patched all three: CVE-2021-1497 (CVSS v3.1 score 9.8, discovered by Nikita Abramov), CVE-2021-1498 (scored 7.3, discovered by Mikhail Klyuchnikov), and CVE-2021-1499 (rated 5.3, discovered by Abramov and Klyuchnikov). The first two vulnerabilities are more dangerous, since their exploitation would allow attackers to execute arbitrary commands in the device’s operating system with maximum privileges (root user) and web server rights (Tomcat 8), respectively. The third vulnerability would allow criminals to upload arbitrary files without authorisation with limited write access, and is not as dangerous in comparison to the others.
To eliminate the vulnerabilities, organisations should follow the recommendations specified in Cisco's official notices. Deep Network Traffic Analysis (NTA/NDR) systems, in particular PT Network Attack Discovery, will allow enterprises to detect attempts to exploit vulnerabilities in Cisco's firewall. In the case of a successful attack, one of the ways to detect signs of penetration is to use SIEM solutions (for example, MaxPatrol SIEM), which help identify suspicious behaviour on the server, register an incident, and prevent the intruders from moving laterally within the corporate network in a timely manner.