First published: Thu Feb 21 2019(Updated: )
A vulnerability in the hxterm service of Cisco HyperFlex Software could allow an unauthenticated, local attacker to gain root access to all nodes in the cluster. The vulnerability is due to insufficient authentication controls. An attacker could exploit this vulnerability by connecting to the hxterm service as a non-privileged, local user. A successful exploit could allow the attacker to gain root access to all member nodes of the HyperFlex cluster. This vulnerability affects Cisco HyperFlex Software Releases prior to 3.5(2a).
Credit: ykramarz@cisco.com ykramarz@cisco.com
Affected Software | Affected Version | How to fix |
---|---|---|
Cisco HyperFlex HX Data Platform | =2.6\(1a\) | |
Cisco HyperFlex HX Data Platform | =2.6\(1b\) | |
Cisco HyperFlex HX Data Platform | =2.6\(1d\) | |
Cisco HyperFlex HX Data Platform | =2.6\(1e\) | |
Cisco HyperFlex HX Data Platform | =3.0\(1a\) | |
Cisco HyperFlex HX Data Platform | =3.0\(1b\) | |
Cisco HyperFlex HX Data Platform | =3.0\(1c\) | |
Cisco HyperFlex HX Data Platform | =3.0\(1d\) | |
Cisco HyperFlex HX Data Platform | =3.0\(1e\) | |
Cisco HyperFlex HX Data Platform | =3.0\(1h\) | |
Cisco HyperFlex HX Data Platform | =3.0\(1i\) | |
Cisco HyperFlex HX Data Platform | =3.5\(1a\) | |
=2.6\(1a\) | ||
=2.6\(1b\) | ||
=2.6\(1d\) | ||
=2.6\(1e\) | ||
=3.0\(1a\) | ||
=3.0\(1b\) | ||
=3.0\(1c\) | ||
=3.0\(1d\) | ||
=3.0\(1e\) | ||
=3.0\(1h\) | ||
=3.0\(1i\) | ||
=3.5\(1a\) |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-1664 is a vulnerability in Cisco HyperFlex Software that allows an unauthenticated, local attacker to gain root access to all nodes in the cluster.
The severity of CVE-2019-1664 is rated as high with a severity value of 7.8.
An attacker can exploit CVE-2019-1664 by connecting to the hxterm service of Cisco HyperFlex Software.
The affected versions of Cisco HyperFlex HX Data Platform for CVE-2019-1664 include 2.6(1a), 2.6(1b), 2.6(1d), 2.6(1e), 3.0(1a), 3.0(1b), 3.0(1c), 3.0(1d), 3.0(1e), 3.0(1h), 3.0(1i), and 3.5(1a).
To mitigate CVE-2019-1664, Cisco has released software updates that address the vulnerability. It is recommended to update to the latest version of Cisco HyperFlex Software.