CVE-2021-1498
published 2021-05-06CVE-2021-1498: Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command…
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
100.00%
100.0th percentile
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_hyperflex_hx_data_platform | — | — |
| cisco | hyperflex_hx | — | — |
| cisco | hyperflex_hx_data_platform | < 4.0\(2e\) | 4.0\(2e\) |
| cisco | hyperflex_hx_data_platform | >= 4.5 < 4.5\(2a\) | 4.5\(2a\) |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for POST requests to /storfs-asup with parameters 'action', 'token', and 'mode' containing backtick-wrapped shell commands (command substitution syntax), indicating command injection attempts. ↗
- →Monitor for POST requests to /auth/change or /auth with a 'username=root' and a password field containing Python os.system injection payloads (e.g., 'import os;os.system(...)' or crypt.crypt injection patterns). ↗
- →The vulnerability allows command execution as the 'tomcat8' user (or Tomcat user); look for unexpected child processes spawned by tomcat8 on Cisco HyperFlex HX Installer Virtual Machine. ↗
- →The /storfs-asup endpoint is the primary attack surface exploited by the Metasploit module for unauthenticated command injection; alert on any unauthenticated POST to this path. ↗
- ·No workarounds are available for these vulnerabilities; only vendor-supplied software updates remediate the issue. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_cisco9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Cisco HyperFlex HX Data Platform Command Injection Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2021-1498 [CRITICAL] CWE-78 Cisco HyperFlex HX Data Platform Command Injection Vulnerability
Vulnerability: Cisco HyperFlex HX Data Platform Command Injection Vulnerability
Affected: Cisco HyperFlex HX
Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the tomcat8 user.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-1498
Remediation Due Date: 2021-11-17
Cisco
Cisco HyperFlex HX Command Injection Vulnerabilities
vendor_cisco·2021-05-05·CVSS 9.8
CVE-2021-1497 [CRITICAL] CWE-78 Cisco HyperFlex HX Command Injection Vulnerabilities
Cisco HyperFlex HX Command Injection Vulnerabilities
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
For more information about these vulnerabilities, see the Details section of this advisory.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR
Cisco
Cisco HyperFlex HX Command Injection Vulnerabilities
vendor_cisco·CVSS 3.1
CVE-2021-1498 Cisco HyperFlex HX Command Injection Vulnerabilities
CVE-2021-1498: Cisco HyperFlex HX Command Injection Vulnerabilities
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the
CVSS: 3.1
CWE: CWE-78, CWE-78
Bug IDs: CSCvx36014, CSCvx36019, CSCvx37435, CSCvx36014, CSCvx36019
GHSA
GHSA-h6vv-5xx4-c25q: Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform comman
ghsa_unreviewed·2022-05-24
CVE-2021-1498 [CRITICAL] CWE-77 GHSA-h6vv-5xx4-c25q: Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform comman
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
VulnCheck
Cisco HyperFlex HX Data Platform Command Injection Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-1498 [CRITICAL] CWE-78 Cisco HyperFlex HX Data Platform Command Injection Vulnerability
Cisco HyperFlex HX Data Platform Command Injection Vulnerability
Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the tomcat8 user.
Affected: Cisco HyperFlex HX
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://info.greynoise.io/hubfs/resources/GreyNoise-Early-Warning-Signals-Attacker-Behavior-Precedes-New-Vulnerabilities-Report.pdf; https://www.greynoise.io/blog/scanning-surge-cisco-asa-devices
Remediation Due: 2021-11-17
Suricata
ET EXPLOIT Cisco HyperFlex HX RCE Outbound (CVE-2021-1498)
suricata·2021-07-08·CVSS 9.8
CVE-2021-1498 [CRITICAL] ET EXPLOIT Cisco HyperFlex HX RCE Outbound (CVE-2021-1498)
ET EXPLOIT Cisco HyperFlex HX RCE Outbound (CVE-2021-1498)
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Cisco HyperFlex HX RCE Outbound (CVE-2021-1498)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/storfs-asup"; fast_pattern; http.request_body; content:"&token="; content:"|60|"; distance:0; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:cve,2021-1498; classtype:attempted-admin; sid:2033283; rev:1; metadata:created_at 2021_07_08, cve CVE_2021_1498, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_08;)
Suricata
ET EXPLOIT Cisco HyperFlex HX RCE Inbound (CVE-2021-1498)
suricata·2021-07-08·CVSS 9.8
CVE-2021-1498 [CRITICAL] ET EXPLOIT Cisco HyperFlex HX RCE Inbound (CVE-2021-1498)
ET EXPLOIT Cisco HyperFlex HX RCE Inbound (CVE-2021-1498)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex HX RCE Inbound (CVE-2021-1498)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/storfs-asup"; fast_pattern; http.request_body; content:"&token="; content:"|60|"; distance:0; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:cve,2021-1498; classtype:attempted-admin; sid:2033282; rev:1; metadata:created_at 2021_07_08, cve CVE_2021_1498, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_08;)
Nuclei
Cisco HyperFlex HX Data Platform - Remote Command Execution
nuclei·CVSS 9.8
CVE-2021-1497 [CRITICAL] Cisco HyperFlex HX Data Platform - Remote Command Execution
Cisco HyperFlex HX Data Platform - Remote Command Execution
Cisco HyperFlex HX contains multiple vulnerabilities in the web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
Template:
id: CVE-2021-1497
info:
name: Cisco HyperFlex HX Data Platform - Remote Command Execution
author: gy741
severity: critical
description: Cisco HyperFlex HX contains multiple vulnerabilities in the web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
impact: |
Attackers can execute arbitrary commands on the device, potentially leading to full system compromise.
remediation: |
Apply the latest security updates and patche
Nuclei
Cisco HyperFlex HX Data Platform - Remote Command Execution
nuclei·CVSS 9.8
CVE-2021-1498 [CRITICAL] Cisco HyperFlex HX Data Platform - Remote Command Execution
Cisco HyperFlex HX Data Platform - Remote Command Execution
Cisco HyperFlex HX contains multiple vulnerabilities in the web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
Template:
id: CVE-2021-1498
info:
name: Cisco HyperFlex HX Data Platform - Remote Command Execution
author: gy741
severity: critical
description: Cisco HyperFlex HX contains multiple vulnerabilities in the web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected system.
remediation: |
Apply the necessary sec
Metasploit
Cisco HyperFlex HX Data Platform Command Execution
metasploit
Cisco HyperFlex HX Data Platform Command Execution
Cisco HyperFlex HX Data Platform Command Execution
This module exploits an unauthenticated command injection in Cisco HyperFlex HX Data Platform's /storfs-asup endpoint to execute shell commands as the Tomcat user.
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01
## Table of Contents
Overview
Directive Scope
CISA Catalog of Known Exploited Vulnerabilities
Detect CISAs Vulnerabilities Using Qualys VMDR
Remediation
Federal Enterprises and Agencies Can Act Now
Summary
Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01 , “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
#### Table of Contents
- Overview
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISAs Vulnerabilities Using Qualys VMDR
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to
Unit42
Network Security Trends: May-July 2021
blogs_unit42·2021-09-17
Network Security Trends: May-July 2021
## Executive Summary
Unit 42 researchers continue to observe network security trends, tracking how cybercriminals take advantage of vulnerabilities in the real world. The following sections present our analysis of the most recently published vulnerabilities, including their severity and category distribution. Additionally, we provide insight into how the vulnerabilities are exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. We highlight vulnerabilities ranked medium severity and above that were newly published from May-July 2021 in order to raise awareness of their active exploits in the wild. We then draw conclusions about the most commonly exploited vulnerabilities we observed attackers using, as well as the severity, category and
Unit42
Network Security Trends: May-July 2021
blogs_unit42·2021-09-17
Network Security Trends: May-July 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: May-July 2021
Yue Guan
Lei Xu
Published: September 17, 2021
Malware
Trend Reports
Vulnerabilities
Attack analysis
Exploit
Exploit in the wild
Network security trends
## Executive Summary
Unit 42 researchers continue to observe network security trends, tracking how cybercriminals take advantage of vulnerabilities in the real world. The following sections present our analysis of the most recently published vulnerabilities, including their severity and category distribution. Additionally, we provide insight into how the vulnerabilities are exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls . We highlight vulnerabilities ranked medium sever
Fortinet
The Ghosts of Mirai | FortiGuard Labs
blogs_fortinet·2021-06-24
The Ghosts of Mirai | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
The Ghosts of Mirai
By David Maciejak and Joie Salvio | June 24, 2021
FortiGuard Labs Threat Research Report
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
It has been almost five years since the source code of the notorious MIRAI IoT malware was released to the public by its author in late 2016. This event led to the emergence of numerous copycats, creating their own flavors of IoT botnet armies. Although improvements have been constantly added since then by various threat actors, the structure and goal of the campaigns have remained the same.
IoT malware scans the Internet for IoT devices that use default or weak usernames and passwords. They also seek
Greynoiseio
Malicious Tag Roundup (Jun 21-Jul 16, 2021)
blogs_greynoiseio·CVSS 5.3
[MEDIUM] Malicious Tag Roundup (Jun 21-Jul 16, 2021)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/162976/Cisco-HyperFlex-HX-Data-Platform-Command-Execution.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpRhttp://packetstormsecurity.com/files/162976/Cisco-HyperFlex-HX-Data-Platform-Command-Execution.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpRhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-1498
2021-05-06
Published
2021-11-03
Added to CISA KEV
Exploited in the wild