CVE-2021-1497
published 2021-05-06CVE-2021-1497: Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command…
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
99.93%
100.0th percentile
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_hyperflex_hx_data_platform | — | — |
| cisco | hyperflex_hx | — | — |
| cisco | hyperflex_hx_data_platform | < 4.0\(2e\) | 4.0\(2e\) |
| cisco | hyperflex_hx_data_platform | >= 4.5 < 4.5\(2a\) | 4.5\(2a\) |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for POST requests to /storfs-asup with backtick command substitution in the token or mode parameters (e.g., token=`wget ...` or mode=`wget ...`). ↗
- →The /storfs-asup endpoint is exploited to execute shell commands as the Tomcat user; alert on unauthenticated POST requests to this path. ↗
- →CVE-2021-1497 is a KEV (Known Exploited Vulnerability); prioritize detection and patching on internet-facing Cisco HyperFlex HX management interfaces. ↗
- ·The injection payload uses Python crypt/os.system, indicating the vulnerable endpoint processes Python code server-side; detection rules should account for URL-encoded variants of the payload. ↗
- ·No authentication is required to exploit these vulnerabilities; perimeter controls blocking unauthenticated access to the management interface are the primary mitigation until patching. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_cisco9.8CRITICAL
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kernel: f2fs: fix to avoid racing on fsync_entry_slab by multi filesystem instances
vendor_redhat·2024-05-21·CVSS 5.5
CVE-2021-47335 [MEDIUM] CWE-416 kernel: f2fs: fix to avoid racing on fsync_entry_slab by multi filesystem instances
kernel: f2fs: fix to avoid racing on fsync_entry_slab by multi filesystem instances
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid racing on fsync_entry_slab by multi filesystem instances
As syzbot reported, there is an use-after-free issue during f2fs recovery:
Use-after-free write at 0xffff88823bc16040 (in kfence-#10):
kmem_cache_destroy+0x1f/0x120 mm/slab_common.c:486
f2fs_recover_fsync_data+0x75b0/0x8380 fs/f2fs/recovery.c:869
f2fs_fill_super+0x9393/0xa420 fs/f2fs/super.c:3945
mount_bdev+0x26c/0x3a0 fs/super.c:1367
legacy_get_tree+0xea/0x180 fs/fs_context.c:592
vfs_get_tree+0x86/0x270 fs/super.c:1497
do_new_mount fs/namespace.c:2905 [inline]
path_mount+0x196f/0x2be0 fs/namespace.c:3235
do_mount fs/namespace.c:3248 [inline]
__do_sys_mount fs/name
CISA
Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2021-1497 [CRITICAL] CWE-78 Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability
Vulnerability: Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability
Affected: Cisco HyperFlex HX
Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the root user.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-1497
Remediation Due Date: 2021-11-17
Cisco
Cisco HyperFlex HX Command Injection Vulnerabilities
vendor_cisco·2021-05-05·CVSS 9.8
CVE-2021-1497 [CRITICAL] CWE-78 Cisco HyperFlex HX Command Injection Vulnerabilities
Cisco HyperFlex HX Command Injection Vulnerabilities
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
For more information about these vulnerabilities, see the Details section of this advisory.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR
Cisco
Cisco HyperFlex HX Command Injection Vulnerabilities
vendor_cisco·CVSS 3.1
CVE-2021-1497 Cisco HyperFlex HX Command Injection Vulnerabilities
CVE-2021-1497: Cisco HyperFlex HX Command Injection Vulnerabilities
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the
CVSS: 3.1
CWE: CWE-78, CWE-78
Bug IDs: CSCvx36014, CSCvx36019, CSCvx37435, CSCvx36014, CSCvx36019
GHSA
GHSA-2hv5-x25m-j674: Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform comman
ghsa_unreviewed·2022-05-24
CVE-2021-1497 [CRITICAL] CWE-78 GHSA-2hv5-x25m-j674: Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform comman
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
VulnCheck
Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-1497 [CRITICAL] CWE-78 Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability
Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability
Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the root user.
Affected: Cisco HyperFlex HX
Required Action: Apply updates per vendor instructions.
Exploitation References: https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.cisa.gov/uscert/ncas/alerts/aa22-279a; https://securityaffairs.co/wordpress/139821/security/cisco-old-vulnerabilities-exploitation.html; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/
Suricata
ET EXPLOIT Cisco HyperFlex OS Command Injection M1 (CVE-2021-1497)
suricata·2021-09-29·CVSS 9.8
CVE-2021-1497 [CRITICAL] ET EXPLOIT Cisco HyperFlex OS Command Injection M1 (CVE-2021-1497)
ET EXPLOIT Cisco HyperFlex OS Command Injection M1 (CVE-2021-1497)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex OS Command Injection M1 (CVE-2021-1497)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/auth"; startswith; http.request_body; content:"username="; content:"password="; nocase; fast_pattern; content:"%3b"; distance:0; pcre:"/^(?:%[a-f0-9]{2}){5,}/R"; reference:url,swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/; reference:cve,2021-1497; classtype:attempted-admin; sid:2034043; rev:1; metadata:attack_target Server, created_at 2021_09_29, cve CVE_2021_1497, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_K
Suricata
ET EXPLOIT Cisco HyperFlex OS Command Injection M2 (CVE-2021-1497)
suricata·2021-09-29·CVSS 9.8
CVE-2021-1497 [CRITICAL] ET EXPLOIT Cisco HyperFlex OS Command Injection M2 (CVE-2021-1497)
ET EXPLOIT Cisco HyperFlex OS Command Injection M2 (CVE-2021-1497)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex OS Command Injection M2 (CVE-2021-1497)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/auth"; startswith; http.request_body; content:"username="; content:"password="; nocase; fast_pattern; content:"%3bimport|20|"; distance:0; reference:url,swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/; reference:cve,2021-1497; classtype:attempted-admin; sid:2034044; rev:1; metadata:attack_target Server, created_at 2021_09_29, cve CVE_2021_1497, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, tag Description_Gen
Nuclei
Cisco HyperFlex HX Data Platform - Remote Command Execution
nuclei·CVSS 9.8
CVE-2021-1497 [CRITICAL] Cisco HyperFlex HX Data Platform - Remote Command Execution
Cisco HyperFlex HX Data Platform - Remote Command Execution
Cisco HyperFlex HX contains multiple vulnerabilities in the web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
Template:
id: CVE-2021-1497
info:
name: Cisco HyperFlex HX Data Platform - Remote Command Execution
author: gy741
severity: critical
description: Cisco HyperFlex HX contains multiple vulnerabilities in the web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
impact: |
Attackers can execute arbitrary commands on the device, potentially leading to full system compromise.
remediation: |
Apply the latest security updates and patche
Nuclei
Cisco HyperFlex HX Data Platform - Remote Command Execution
nuclei·CVSS 9.8
CVE-2021-1498 [CRITICAL] Cisco HyperFlex HX Data Platform - Remote Command Execution
Cisco HyperFlex HX Data Platform - Remote Command Execution
Cisco HyperFlex HX contains multiple vulnerabilities in the web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
Template:
id: CVE-2021-1498
info:
name: Cisco HyperFlex HX Data Platform - Remote Command Execution
author: gy741
severity: critical
description: Cisco HyperFlex HX contains multiple vulnerabilities in the web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected system.
remediation: |
Apply the necessary sec
Metasploit
Cisco HyperFlex HX Data Platform Command Execution
metasploit
Cisco HyperFlex HX Data Platform Command Execution
Cisco HyperFlex HX Data Platform Command Execution
This module exploits an unauthenticated command injection in Cisco HyperFlex HX Data Platform's /storfs-asup endpoint to execute shell commands as the Tomcat user.
Metasploit
Microsoft Exchange ProxyLogon Collector
metasploit·CVSS 9.8
CVE-2021-26855 [CRITICAL] Microsoft Exchange ProxyLogon Collector
Microsoft Exchange ProxyLogon Collector
This module exploit a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855). By taking advantage of this vulnerability, it is possible to dump all mailboxes (emails, attachments, contacts, ...). This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010). All components are vulnerable by default.
Metasploit
Microsoft Exchange ProxyLogon Scanner
metasploit·CVSS 9.8
CVE-2021-26855 [CRITICAL] Microsoft Exchange ProxyLogon Scanner
Microsoft Exchange ProxyLogon Scanner
This module scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855). By chaining this bug with another post-auth arbitrary-file-write vulnerability to get code execution (CVE-2021-27065). As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server. This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010). All components are vulnerable by default.
Metasploit
Microsoft Exchange ProxyShell RCE
metasploit·CVSS 6.6
CVE-2021-31207 [MEDIUM] Microsoft Exchange ProxyShell RCE
Microsoft Exchange ProxyShell RCE
This module exploits a vulnerability on Microsoft Exchange Server that allows an attacker to bypass the authentication (CVE-2021-31207), impersonate an arbitrary user (CVE-2021-34523) and write an arbitrary file (CVE-2021-34473) to achieve the RCE (Remote Code Execution). By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server. This vulnerability affects Exchange 2013 CU23 < 15.0.1497.15, Exchange 2016 CU19 < 15.1.2176.12, Exchange 2016 CU20 < 15.1.2242.5, Exchange 2019 CU8 < 15.2.792.13, Exchange 2019 CU9 < 15.2.858.9. All components are vulnerable by default.
Metasploit
Microsoft Exchange ProxyLogon RCE
metasploit·CVSS 9.8
CVE-2021-26855 [CRITICAL] Microsoft Exchange ProxyLogon RCE
Microsoft Exchange ProxyLogon RCE
This module exploit a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication, impersonating as the admin (CVE-2021-26855) and write arbitrary file (CVE-2021-27065) to get the RCE (Remote Code Execution). By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server. This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010). All components are vulnerable by default.
Qualys
NSA Alert: Topmost CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors
blogs_qualys·2022-10-07·CVSS 10.0
[CRITICAL] NSA Alert: Topmost CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors
## Table of Contents
Detect & Prioritize 20 Publicly Known Vulnerabilities using VMDR 2.0
Identify Vulnerable Assets using Qualys Threat Protection
Recommendations & Mitigations
Contributors
On October 6, 2022, the United States National Security Agency (NSA) released a cybersecurity advisory on the Chinese government—officially known as the People’s Republic of China (PRC) states-sponsored cyber actors’ activity to seek national interests. These malicious cyber activities attributed to the Chinese government targeted, and persist to target, a mixture of industries and organizations in the United States. They provide the top CVEs used since 2020 by the People’s Republic of China (PRC) states-sponsored cyber actors as evaluated by the National Security Agency (NSA), Cybersecurity and I
Qualys
NSA Alert: Topmost CVEs Actively Exploited By PRC Sponsored Cyber Actors | Qualys
blogs_qualys·2022-10-07
NSA Alert: Topmost CVEs Actively Exploited By PRC Sponsored Cyber Actors | Qualys
#### Table of Contents
- Detect & Prioritize 20 Publicly Known Vulnerabilities using VMDR 2.0
- Identify Vulnerable Assets using Qualys Threat Protection
- Recommendations & Mitigations
- Contributors
On October 6, 2022, the United States National Security Agency (NSA) released a cybersecurity advisory on the Chinese government—officially known as the People’s Republic of China (PRC) states-sponsored cyber actors’ activity to seek national interests. These malicious cyber activities attributed to the Chinese government targeted, and persist to target, a mixture of industries and organizations in the United States. They provide the top CVEs used since 2020 by the People’s Republic of China (PRC) states-sponsored cyber actors as evaluated by the National Security Agency (NSA), Cybersecurit
Tenable
Top 20 CVEs Exploited by People's Republic of China State-Sponsored Actors (AA22-279A)
blogs_tenable·2022-10-07
Top 20 CVEs Exploited by People's Republic of China State-Sponsored Actors (AA22-279A)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01
## Table of Contents
Overview
Directive Scope
CISA Catalog of Known Exploited Vulnerabilities
Detect CISAs Vulnerabilities Using Qualys VMDR
Remediation
Federal Enterprises and Agencies Can Act Now
Summary
Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01 , “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
#### Table of Contents
- Overview
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISAs Vulnerabilities Using Qualys VMDR
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to
Greynoiseio
Malicious Tag Roundup (Jun 21-Jul 16, 2021)
blogs_greynoiseio·CVSS 5.3
[MEDIUM] Malicious Tag Roundup (Jun 21-Jul 16, 2021)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/162976/Cisco-HyperFlex-HX-Data-Platform-Command-Execution.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpRhttp://packetstormsecurity.com/files/162976/Cisco-HyperFlex-HX-Data-Platform-Command-Execution.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpRhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-1497
2021-05-06
Published
2021-11-03
Added to CISA KEV
Exploited in the wild