CVE-2021-1499
published 2021-05-06CVE-2021-1499: A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an…
PriorityP265medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EXPLOIT
EPSS
80.43%
99.6th percentile
A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_hyperflex_hx_data_platform | — | — |
| cisco | hyperflex_hx_data_platform | < 4.0\(2e\) | 4.0\(2e\) |
| cisco | hyperflex_hx_data_platform | >= 4.5 < 4.5\(2a\) | 4.5\(2a\) |
| cisco | hyperflex_hx_data_platform_file_upload | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex HX Data Platform Pre-Auth RCE Inbound (CVE-2021-1499)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload"; http.request_body; content:"name=|22|"; content:"filename=|22|../../"; fast_pattern; reference:cve,2021-1499; classtype:attempted-admin; sid:2033907; rev:1; metadata:attack_target Server, created_at 2021_09_07, cve CVE_2021_1499, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_09_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
name=|22|
bytes
filename=|22|../../
- →Detect unauthenticated HTTP POST requests to the /upload endpoint on HyperFlex management interfaces; no authentication headers should be present. ↗
- →Look for path traversal sequences (e.g., ../../) in the multipart form-data filename field of POST requests to /upload, indicating directory traversal attempts.
- →Successful exploitation response contains JSON keys '{"result":' and '"filename:' along with the uploaded path; match these in HTTP 200 responses to confirm exploitation. ↗
- →Emerging Threats rule SID 2033907 covers inbound exploitation attempts; deploy at perimeter and internal sensors with high confidence.
- →Monitor for new files appearing under /tmp/ owned by the tomcat8 user following POST requests to /upload, as a post-exploitation indicator. ↗
- ·The vulnerability exists specifically because the /upload endpoint requires no authentication; there are no workarounds — only patching resolves the issue. ↗
- ·Uploaded files are written with tomcat8 user permissions, limiting but not eliminating post-exploitation impact; chaining with other vulnerabilities can lead to full RCE. ↗
- ·Cisco bug IDs CSCvx36028 and CSCvx52126 track this issue; ensure both are addressed when applying patches. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vendor_cisco5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-389x-22j4-jr37: A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload fi
ghsa_unreviewed·2022-05-24
CVE-2021-1499 [MEDIUM] CWE-306 GHSA-389x-22j4-jr37: A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload fi
A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user.
Cisco
Cisco HyperFlex HX Data Platform File Upload Vulnerability
vendor_cisco·2021-05-05·CVSS 5.3
CVE-2021-1499 [MEDIUM] CWE-306 Cisco HyperFlex HX Data Platform File Upload Vulnerability
Cisco HyperFlex HX Data Platform File Upload Vulnerability
A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device.
This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/c
Cisco
Cisco HyperFlex HX Data Platform File Upload Vulnerability
vendor_cisco·CVSS 3.1
CVE-2021-1499 Cisco HyperFlex HX Data Platform File Upload Vulnerability
CVE-2021-1499: Cisco HyperFlex HX Data Platform File Upload Vulnerability
A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. Cisco has released software updates that address this vulnerability. There are no
CVSS: 3.1
CWE: CWE-306, CWE-306
Bug IDs: CSCvx36028, CSCvx52126
Suricata
ET EXPLOIT Cisco HyperFlex HX Data Platform Pre-Auth RCE Inbound (CVE-2021-1499)
suricata·2021-09-07·CVSS 5.3
CVE-2021-1499 [MEDIUM] ET EXPLOIT Cisco HyperFlex HX Data Platform Pre-Auth RCE Inbound (CVE-2021-1499)
ET EXPLOIT Cisco HyperFlex HX Data Platform Pre-Auth RCE Inbound (CVE-2021-1499)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex HX Data Platform Pre-Auth RCE Inbound (CVE-2021-1499)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload"; http.request_body; content:"name=|22|"; content:"filename=|22|../../"; fast_pattern; reference:cve,2021-1499; classtype:attempted-admin; sid:2033907; rev:1; metadata:attack_target Server, created_at 2021_09_07, cve CVE_2021_1499, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_09_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Applic
Metasploit
Cisco HyperFlex HX Data Platform unauthenticated file upload to RCE (CVE-2021-1499)
metasploit·CVSS 5.3
CVE-2021-1499 [MEDIUM] Cisco HyperFlex HX Data Platform unauthenticated file upload to RCE (CVE-2021-1499)
Cisco HyperFlex HX Data Platform unauthenticated file upload to RCE (CVE-2021-1499)
This module exploits an unauthenticated file upload vulnerability in Cisco HyperFlex HX Data Platform's /upload endpoint to upload and execute a payload as the Tomcat user.
Nuclei
Cisco HyperFlex HX Data Platform - Arbitrary File Upload
nuclei·CVSS 5.3
CVE-2021-1499 [MEDIUM] Cisco HyperFlex HX Data Platform - Arbitrary File Upload
Cisco HyperFlex HX Data Platform - Arbitrary File Upload
Cisco HyperFlex HX Data Platform contains an arbitrary file upload vulnerability in the web-based management interface. An attacker can send a specific HTTP request to an affected device, thus enabling upload of files to the affected device with the permissions of the tomcat8 user.
Template:
id: CVE-2021-1499
info:
name: Cisco HyperFlex HX Data Platform - Arbitrary File Upload
author: gy741
severity: medium
description: Cisco HyperFlex HX Data Platform contains an arbitrary file upload vulnerability in the web-based management interface. An attacker can send a specific HTTP request to an affected device, thus enabling upload of files to the affected device with the permissions of the tomcat8 user.
impact: |
Allows an attacker to
http://packetstormsecurity.com/files/163203/Cisco-HyperFlex-HX-Data-Platform-File-Upload-Remote-Code-Execution.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-upload-KtCK8Ugzhttp://packetstormsecurity.com/files/163203/Cisco-HyperFlex-HX-Data-Platform-File-Upload-Remote-Code-Execution.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-upload-KtCK8Ugz
2021-05-06
Published