Attackers could disrupt the operation of enterprise IT systems by deleting backups.
Positive Technologies researchers Nikita Abramov and Mikhail Klyuchnikov have discovered three vulnerabilities in Cisco HyperFlex HX, a hyperconverged platform for building IT infrastructure from scratch that in 2019 was named the leader in the Gartner Magic Quadrant for Hyperconverged Infrastructure. Cisco has thanked the researchers in the two security advisories it published.
Nikita Abramov said: "These vulnerabilities can negatively affect the internal infrastructure of an enterprise, leading to disruption of its operation. Hyperconverged systems are basically out-of-the-box data centers, combining storage systems, servers, network functions, and software into one module. By exploiting the flaws, attackers can access an organization’s entire infrastructure management system and affect its performance, delete important files, disrupt business processes, and erase backup systems with critical data—scenarios are limited only by the attacker's imagination."
In order to successfully exploit the vulnerabilities, an attacker only needs to gain access to the web interface of the device and send a specific request. Special rights, permissions, or authentication are not required. It’s difficult to estimate the number of vulnerable devices, since this type of equipment is most often located on an organization’s internal network. From a technical point of view, these are logic bugs; they often occur due to inattentiveness of the developer and insufficient testing of the code at the development stage.
Cisco has patched all three: CVE-2021-1497 (CVSS v3.1 score 9.8, discovered by Nikita Abramov), CVE-2021-1498 (scored 7.3, discovered by Mikhail Klyuchnikov), and CVE-2021-1499 (rated 5.3, discovered by Abramov and Klyuchnikov). The first two vulnerabilities are more dangerous, since their exploitation would allow attackers to execute arbitrary commands in the device’s operating system with maximum privileges (root user) and web server rights (Tomcat 8), respectively. The third vulnerability would allow criminals to upload arbitrary files without authorization with limited write access, and is not as dangerous in comparison to the others.
To eliminate the vulnerabilities, organizations should follow the recommendations specified in Cisco's official notices (1, 2). Deep Network Traffic Analysis (NTA/NDR) systems, in particular PT Network Attack Discovery, will allow enterprises to detect attempts to exploit vulnerabilities in Cisco's firewall. In the case of a successful attack, one of the ways to detect signs of penetration is to use SIEM solutions (for example, MaxPatrol SIEM), which help identify suspicious behavior on the server, register an incident, and prevent the intruders from moving laterally within the corporate network in a timely manner.