Cisco this week identified two “High” security vulnerabilities in its HyperFlex data-center package that could let attackers gain control of the system.
HyperFlex is Cisco’s hyperconverged infrastructure that offers computing, networking and storage resources in a single system.
The more critical of the two warnings – an 8.8 on Cisco’s severity scale of 1-10 – is a command-injection vulnerability in the cluster service manager of Cisco HyperFlex Software that could let an unauthenticated, attacker execute commands as the root user.
“An attacker could exploit this vulnerability by connecting to the cluster service manager and injecting commands into the bound process,” Cisco wrote in its Security Advisory.
Cisco says that the vulnerability is due to insufficient input validation in Cisco HyperFlex software releases prior to 3.5.
Such input can impact the control flow or data flow of a program and cause a number of resource control problems. Cisco has released a software update to address this vulnerability and said that there are no other workarounds to address this exposure.
The second vulnerability – rated 8.1 on Cisco's scale – is a snafu in the hxterm service of Cisco HyperFlex Software that could let an attacker connect to the service as a non-privileged, local user. A successful exploit could allow the attacker to gain root access to all member nodes of the HyperFlex cluster in Cisco HyperFlex software releases prior to 3.5, according to the security advisory.
Cisco said has released software updates that address both vulnerabilities. Customers can download it from Cisco.
Cisco also released three other “Medium” level threats around Hyperflex software having to do with cross-site scripting (XSS), arbitrary data and Graphite service weaknesses. But it offered no workarounds nor patches for those problems.
Cisco recently expanded its hyperconverged package with HyperFlex for Branch or Hyperflex 4.0, which will let customers extend the system to branch offices or the edge of a customer network. In other words it moves data-center-class application performance and management to branch offices and remote sites, enabling analytics and intelligent services at the enterprise edge, Cisco said.
The Hyperflex vulnerabilities were part of a 17 item dump of Security Advisories and Alerts issued by the company.
Thanks to Michael Cooney (see source)