Critical Flaws in Cisco Small Business Switches Could Allow Remote Attacks

Cisco has unveiled updates to tackle a established of nine security flaws in its Tiny Company Sequence Switches that could be exploited by an unauthenticated, remote attacker to operate arbitrary code or trigger a denial-of-company (DoS) affliction.

“These vulnerabilities are thanks to incorrect validation of requests that are sent to the web interface,” Cisco said, crediting an unnamed external researcher for reporting the issues.

Four of the nine vulnerabilities are rated 9.8 out of 10 on the CVSS scoring process, building them critical in nature. The nine flaws impact the next products lines –

• 250 Collection Clever Switches (Fixed in firmware version 2.5.9.16)
• 350 Collection Managed Switches (Mounted in firmware variation 2.5.9.16)
• 350X Collection Stackable Managed Switches (Set in firmware model 2.5.9.16)
• 550X Sequence Stackable Managed Switches (Fastened in firmware model 2.5.9.16)
• Enterprise 250 Collection Good Switches (Fixed in firmware variation 3.3..16)
• Organization 350 Sequence Managed Switches (Set in firmware edition 3.3..16)
• Small Small business 200 Series Intelligent Switches (Will not be patched)
• Small Business 300 Series Managed Switches (Will not be patched)
• Small Organization 500 Sequence Stackable Managed Switches (Will not be patched)

A transient description of just about every of the flaws is as follows –

• CVE-2023-20159 (CVSS score: 9.8): Cisco Small Company Series Switches Stack Buffer Overflow Vulnerability
• CVE-2023-20160 (CVSS rating: 9.8): Cisco Smaller Business enterprise Sequence Switches Unauthenticated BSS Buffer Overflow Vulnerability
• CVE-2023-20161 (CVSS score: 9.8): Cisco Small Organization Collection Switches Unauthenticated Stack Buffer Overflow Vulnerability
• CVE-2023-20189 (CVSS score: 9.8): Cisco Little Company Sequence Switches Unauthenticated Stack Buffer Overflow Vulnerability
• CVE-2023-20024 (CVSS rating: 8.6): Cisco Little Enterprise Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
• CVE-2023-20156 (CVSS rating: 8.6): Cisco Compact Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
• CVE-2023-20157 (CVSS rating: 8.6): Cisco Tiny Company Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
• CVE-2023-20158 (CVSS score: 8.6): Cisco Modest Organization Collection Switches Unauthenticated Denial-of-Service Vulnerability
• CVE-2023-20162 (CVSS score: 7.5): Cisco Compact Organization Series Switches Unauthenticated Configuration Looking through Vulnerability

Thriving exploitation of the aforementioned bugs could permit an unauthenticated, distant attacker to execute arbitrary code with root privileges on an impacted gadget by sending a specifically crafted ask for via the web-dependent user interface.

Alternatively, they could also be abused to induce a DoS issue or browse unauthorized information and facts on vulnerable units by suggests of a malicious ask for.

Forthcoming WEBINARLearn to End Ransomware with Authentic-Time Security

Be a part of our webinar and study how to halt ransomware attacks in their tracks with real-time MFA and provider account defense.

Preserve My Seat!

Cisco reported it does not plan to launch firmware updates for Small Business 200 Collection Intelligent Switches, Little Business enterprise 300 Sequence Managed Switches, Small Small business 500 Sequence Stackable Managed Switches as they have entered the conclude-of-life approach.

The networking gear major also reported it’s conscious of the availability of a proof-of-idea (PoC) exploit code, but pointed out that it did not observe any evidence of malicious exploitation in the wild.

With Cisco devices becoming a lucrative attack vector for danger actors, users are advisable to shift speedily to use the patches to mitigate possible threats.

Located this article exciting? Adhere to us on Twitter  and LinkedIn to browse far more distinctive content we post.

Some pieces of this report are sourced from:
thehackernews.com