Positive Technologies researchers Nikita Abramov and Mikhail Klyuchnikov have discovered three vulnerabilities in Cisco HyperFlex HX, a hyperconverged platform for building IT infrastructure from scratch that in 2019 was named the leader in the Gartner Magic Quadrant for Hyperconverged Infrastructure.
Cisco has thanked the researchers in the two security advisories it published.
Cisco has patched all three: CVE-2021-1497 (CVSS v3.1 score 9.8, discovered by Nikita Abramov), CVE-2021-1498 (scored 7.3, discovered by Mikhail Klyuchnikov), and CVE-2021-1499 (rated 5.3, discovered by Abramov and Klyuchnikov).
The first two vulnerabilities are more dangerous, since their exploitation would allow attackers to execute arbitrary commands in the device’s operating system with maximum privileges (root user) and web server rights (Tomcat 8), respectively. The third vulnerability would allow criminals to upload arbitrary files without authorization with limited write access, and is not as dangerous in comparison to the others.
Nikita Abramov said: “These vulnerabilities can negatively affect the internal infrastructure of an enterprise, leading to disruption of its operation. Hyperconverged systems are basically out-of-the-box data centers, combining storage systems, servers, network functions, and software into one module. By exploiting the flaws, attackers can access an organization’s entire infrastructure management system and affect its performance, delete important files, disrupt business processes, and erase backup systems with critical data—scenarios are limited only by the attacker’s imagination.”