Cybersecurity

Critical Flaws in Cisco Small Business Switches Can Permit Remote Attacks


May 18, 2023Ravie LakshmananNetwork Security / Vulnerabilities

Cisco has released an update to address a set of nine security flaws in its Small Business Series Switches that could be exploited by an unauthenticated remote attacker to run arbitrary code or cause a denial-of-service (DoS) condition.

“This vulnerability was caused by an improper validation request sent to the web interface,” Cisco saidcredits an unnamed external researcher for reporting the matter.

Four of the nine vulnerabilities were rated 9.8 out of 10 on the CVSS rating system, making them critical. Nine deficiencies affected the following product lines –

  • 250 Series Smart Switches (Fixed in firmware version 2.5.9.16)
  • 350 Series Managed Switches (Fixed in firmware version 2.5.9.16)
  • 350X Series Stackable Managed Switches (Fixed in firmware version 2.5.9.16)
  • 550X Series Stackable Managed Switches (Fixed in firmware version 2.5.9.16)
  • Business 250 Series Smart Switches (Fixed in firmware version 3.3.0.16)
  • Business 350 Series Managed Switches (Fixed in firmware version 3.3.0.16)
  • Small Business 200 Series Smart Switches (Will not be patched)
  • Small Business 300 Series Managed Switches (Will not be patched)
  • Small Business 500 Series Stackable Managed Switches (Unpatched)

A brief description of each drawback is as follows –

  • CVE-2023-20159 (CVSS Score: 9.8): Cisco Small Business Series Switching Stack Buffer Overflow Vulnerability
  • CVE-2023-20160 (CVSS Score: 9.8): Cisco Small Business Series Switch Unauthenticated BSS Buffer Overflow Vulnerability
  • CVE-2023-20161 (CVSS Score: 9.8): Cisco Small Business Series Switch Unauthenticated Stack Buffer Overflow Vulnerability
  • CVE-2023-20189 (CVSS Score: 9.8): Cisco Small Business Series Switch Unauthenticated Stack Buffer Overflow Vulnerability
  • CVE-2023-20024 (CVSS Score: 8.6): Cisco Small Business Series Switch Unauthenticated Buffer Heap Overflow Vulnerability
  • CVE-2023-20156 (CVSS Score: 8.6): Cisco Small Business Series Switch Unauthenticated Buffer Heap Overflow Vulnerability
  • CVE-2023-20157 (CVSS Score: 8.6): Cisco Small Business Series Switch Unauthenticated Buffer Heap Overflow Vulnerability
  • CVE-2023-20158 (CVSS Score: 8.6): Cisco Small Business Series Switch Unauthenticated Denial-of-Service Vulnerability
  • CVE-2023-20162 (CVSS Score: 7.5): Cisco Small Business Series Switch Unauthenticated Configuration Read Vulnerability

A successful exploit of the aforementioned bug could allow an unauthenticated remote attacker to execute arbitrary code with root privileges on the affected device by sending specially crafted requests via a web-based user interface.

Alternatively, they can also be abused to trigger DoS conditions or read unauthorized information on vulnerable systems via malicious requests.

UPCOMING WEBINARS

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Fraud can detect advanced threats, stop lateral moves, and improve your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

Cisco said it does not plan to release firmware updates for its Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, Small Business 500 Series Stackable Managed Switches because they are entering the end of life process.

The networking equipment department also said it was aware of the availability of proof-of-concept (PoC) exploit code, but noted that they found no evidence of a malicious exploit in the wild.

With Cisco devices being tempting attack vectors for threat actors, users are advised to move quickly to apply patches to mitigate potential threats.

Found this article interesting? Follow us on Twitter And LinkedIn to read more exclusive content we post.





Source link

Related Articles

Back to top button