Skip to content

Search the site

Cisco thanks sanctioned Russian security company for reporting critical pre-auth RCE bug.

CVSS 9.8 bug in Cisco HyperFlex HX reported by Positive Technologies.

Cisco has thanked Positive Technologies -- the Moscow-based cybersecurity company sanctioned by the US for alleged support of Russian intelligence -- for reporting a critical vulnerability that could let a remote, unauthenticated attacker gain root access to Cisco software used for enterprise-grade data management.

CVE-2021-1497 (CVSS 9.8) is a pre-auth RCE bug in Cisco HyperFlex HX Installer that Cisco admitted May 5 in a security advisory could allow an "unauthenticated, remote attacker to perform a command injection attack against an affected device." (There is no workaround to mitigate the vuln. Patch this one...)

Cisco added: "This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface. A successful exploit could allow the attacker to execute arbitrary commands on an affected device as the root user."

From Russia, with love.

Cisco thanked Nikita Abramov and Mikhail Klyuchnikov of Positive Technologies for reporting the vulnerabilities, in an incident that casts a fresh light on some of the absurdities thrown up as geopolitics, cybersecurity, and the bug disclosure efforts of private companies overlap ever more regularly.

The US Treasury April 15 described Positive Technologies as supporting "Russian Government clients, including the FSB”, adding that “Positive Technologies provides computer network security solutions to Russian businesses, foreign governments, and international companies and hosts large-scale conventions that are used as recruiting events for the FSB and GRU.” (Respectively, Russian civilian and military intelligence agencies).

See also: 6 free cybersecurity tools CISOs should know

The Treasury sanctions “generally prohibit all transactions by U.S. persons … that include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person or the receipt of any contribution or provision of funds, goods, or services from any such person.”

In a lengthy May 4, Russian language interview, Positive Technologies founder Yuri Maksimov told that "it is clear that some work related to the elimination of vulnerabilities in American companies, which we helped to do, will suffer [from sanctions]. Is this dramatic for the whole world? Not. But the very fact that some short-term (no matter political, economic or competitive) reasons prevail over long-term and strategic ones, is regrettable."

Maksimov added that the company had anticipated the risk of sanctions for five years, did almost zero work in the US, and shrugged off the impact: its entities in Asia and Europe had their "own set of services and products, own development... only one legal entity from a group of companies in Russia fell under the sanctions, and we retained the opportunity to sell our products, providing our clients with conditions under which they do not face sanction risks. Thus, we can work with our partners without the participation of our sanctioned legal entity."

See also: Positive Technologies sanctions open a can of worms — and Microsoft’s MAPP is in the spotlight.