Serious Flaws Found in Cisco Small Business Switches
Nine security issues in Cisco’s Small Business Series Switches have been patched that an unauthenticated, remote attacker might use these flaws to execute arbitrary code or create a denial-of-service (DoS) condition.
Cisco recently credited an unnamed researcher for highlighting this issue in a report that says: “These vulnerabilities are due to improper validation of requests that are sent to the web interface”.
According to the CVSS rating system, four of the nine vulnerabilities are classified as critical since they score 9.8 out of 10. The nine vulnerabilities impact the following product lines.:
- 250 Series Smart Switches (Fixed in firmware version 2.5.9.16)
- 350 Series Managed Switches (Fixed in firmware version 2.5.9.16)
- 350X Series Stackable Managed Switches (Fixed in firmware version 2.5.9.16)
- 550X Series Stackable Managed Switches (Fixed in firmware version 2.5.9.16)
- Business 250 Series Smart Switches (Fixed in firmware version 3.3.0.16)
- Business 350 Series Managed Switches (Fixed in firmware version 3.3.0.16)
- Small Business 200 Series Smart Switches (Will not be patched)
- Small Business 300 Series Managed Switches (Will not be repaired)
- Small Business 500 Series Stackable Managed Switches (Will not be patched)
The description of each flaw is as follows:
- CVE-2023-20159 (CVSS score: 9.8): Cisco Small Business Series Switches Stack Buffer Overflow Vulnerability
- CVE-2023-20160 (CVSS score: 9.8): Cisco Small Business Series Switches Unauthenticated BSS Buffer Overflow Vulnerability
- CVE-2023-20161 (CVSS score: 9.8): Cisco Small Business Series Switches Unauthenticated Stack Buffer Overflow Vulnerability
- CVE-2023-20189 (CVSS score: 9.8): Cisco Small Business Series Switches Unauthenticated Stack Buffer Overflow Vulnerability
- CVE-2023-20024 (CVSS score: 8.6): Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
- CVE-2023-20156 (CVSS score: 8.6): Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
- CVE-2023-20157 (CVSS score: 8.6): Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
- CVE-2023-20158 (CVSS score: 8.6): Cisco Small Business Series Switches Unauthenticated Denial-of-Service Vulnerability
- CVE-2023-20162 (CVSS score: 7.5): Cisco Small Business Series Switches Unauthenticated Configuration Reading Vulnerability
By making a particularly crafted request through the web-based user interface, a successful exploit of the aforementioned issues could allow an unauthenticated, remote attacker to execute arbitrary code with root capabilities on a vulnerable device.
Alternatively, by means of a malicious request, they could be used maliciously to start a DoS condition or access unauthorized data on vulnerable systems.
As these devices have begun the end-of-life process, Cisco stated that it does not intend to issue firmware upgrades for Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, or Small Business 500 Series Stackable Managed Switches.
The manufacturer of networking equipment added that while it is aware that a proof-of-concept (PoC) exploit code is available, it has not yet seen any indications of malicious exploitation in the field.
If you like this content, Follow our LinkedIn and Facebook for more exclusive content like this!
Our Readers ALSO READ
ChatGpt-Based IOS and Android Apps are Ripping Off Users.
