Critical holes plugged in Cisco 220 Series smart switches

Cisco has fixed three vulnerabilities in its Cisco 220 Series smart switches and is urging owners to upgrade their firmware as soon as possible.

Among these are two critical flaws that could allow unauthenticated, remote attackers to compromise vulnerable devices.

About the vulnerabilities

Cisco 220 Series smart switches are generally used by small and midsize businesses.

All the flaws affect the switches’ web management interface, which is enabled by default.

CVE-2019-1912 is an authentication bypass hole that can be exploited by attackers sending a malicious request to certain parts of the web management interface. Successful exploitation could allow the attacker to modify the configuration of an affected device or to inject a reverse shell.

CVE-2019-1913 encompasses multiple vulnerabilities that could allow an attacker to overflow a buffer and execute arbitrary code with root privileges on the underlying operating system.

“An attacker could exploit these vulnerabilities by sending malicious requests to the web management interface of an affected device. Depending on the configuration of the affected switch, the malicious requests must be sent via HTTP or HTTPS,” Cisco explained.

Finally, CVE-2019-1914 can be exploited to execute arbitrary shell commands with the privileges of the root user, but the attacker needs a valid login session in the web management interface as a privilege level 15 user in order to exploit it.

No workarounds are available – users are advised to upgrade to firmware version 1.1.4.4 or later to plug the holes.

Cisco networking equipment is used widely and vulnerabilities in those devices are often exploited by attackers, most often to conscript vulnerable devices into botnets but also to use them as a stepping stone into corporate networks.

The good news is that the flaws were responsibly disclosed by a security researcher and there is no indication that they are being currently exploited in the wild.