Urgent Security Updates Released for Cisco Small Business Switches to Thwart Potential Remote Attack
On May 18, 2023, Cisco announced the release of updates to rectify nine significant security vulnerabilities in its Small Business Series Switches. These flaws could potentially be exploited by unauthorized remote attackers to execute arbitrary code or induce a denial-of-service (DoS) situation.
The vulnerabilities stem from the improper validation of requests sent to the web interface, as stated by Cisco. An external researcher, who remains anonymous, reported these issues.
The severity of four out of the nine vulnerabilities is rated as 9.8 out of 10 on the CVSS scoring system, categorizing them as critical. The affected product lines include:
250 Series Smart Switches (Resolved in firmware version 2.5.9.16)
350 Series Managed Switches (Resolved in firmware version 2.5.9.16)
350X Series Stackable Managed Switches (Resolved in firmware version 2.5.9.16)
550X Series Stackable Managed Switches (Resolved in firmware version 2.5.9.16)
Business 250 Series Smart Switches (Resolved in firmware version 3.3.0.16)
Business 350 Series Managed Switches (Resolved in firmware version 3.3.0.16)
Small Business 200 Series Smart Switches (No patch will be provided)
Small Business 300 Series Managed Switches (No patch will be provided)
Small Business 500 Series Stackable Managed Switches (No patch will be provided)
Each vulnerability, identified by their CVE numbers and associated CVSS scores, ranges from buffer overflow issues to denial-of-service vulnerabilities and configuration reading vulnerabilities.
Successful manipulation of these vulnerabilities could allow an unauthorized remote attacker to run arbitrary code with root privileges on a compromised device. This could be achieved by sending a specially crafted request via the web-based user interface.
Alternatively, the flaws could be exploited to induce a DoS condition or access unauthorized information on vulnerable systems.
Cisco has stated that it does not intend to release firmware updates for the Small Business 200, 300, and 500 Series due to their end-of-life status.
While a proof-of-concept (PoC) exploit code is available, Cisco has not found any evidence of these vulnerabilities being exploited maliciously in the wild. However, given the potential risk, users are urged to apply the patches promptly to safeguard against potential threats.
