Cisco warns about public exploit code for critical flaws in its 220 Series smart switches

Cisco has fixed over 30 vulnerabilities in various solutions, including Cisco UCS Director, Cisco UCS Director Express for Big Data, Cisco IMC Supervisor, and the Cisco 220 Series smart switches.

Updates by product

Users of Cisco UCS Director and Cisco UCS Director Express for Big Data are advised to upgrade to versions 6.7.3.0 and 3.7.3.0, respectively, as they fix, among other things:

• CVE-2019-1938, an API authentication bypass vulnerability that could be triggered by a specially crafted HTTP requests sent to an affected device and could allow the attacker to execute arbitrary actions with administrator privileges on an affected system
• CVE-2019-1935, a documented default account with an undocumented default password and incorrect permission settings that could allow an attacker to log in to an affected system and execute arbitrary commands with the privileges of the scpuser account (this includes full read and write access to the system’s database)
• CVE-2019-1974, an authentication bypass vulnerability that could allow an unauthenticated, remote attacker to bypass user authentication and gain access as an administrative user
• CVE-2019-1937, another authentication bypass flaw that could allow an unauthenticated, remote attacker to acquire a valid session token with administrator privileges.

There is no indication that any of these flaws is being exploited in the wild.

Also, all except the first one (CVE-2019-1938) also affect the Cisco Integrated Management Controller Supervisor, which should be upgraded to releases 2.2.1.0 and later, which also fix a considerable number of high-risk flaws in this server management solution.

Cisco already pointed to the relevant security updates for Cisco 220 Series smart switches earlier this month, but they are now saying that public exploit code for all three of the fixed vulnerability exists, so users should upgrade their switches’ firmware to releases 1.1.4.4 and later as soon as possible.

Among the other fixes of particular note in this batch are those for:

• CVE-2019-9506, a Bluetooth key negotiation vulnerability that can be exploited in a KNOB attack. It affects Cisco’s Webex endpoints and several series of IP phones.
• CVE-2019-1649, a Secure Boot flaw that could allow an attacker with local access to modify the firmware of many of Cisco’s solutions, including its Adaptive Security Appliances (ASA), Firepower switches, and a huge number of router models.

“The Cisco Product Security Incident Response Team (PSIRT) is aware of the existence of proof-of-concept code that demonstrates [CVE-2019-1649] on the Cisco ASR 1001-X. There are no indications at this time that this proof-of-concept code is publicly available,” the company added.

UPDATE (September 3, 2019, 12:40 a.m. PT):

Security researcher Pedro Ribeiro, who discovered and responsibly disclosed CVE-2019-1935, CVE-2019-1937 and CVE-2019-1936, has published details on these vulnerabilities in his GitHub repository and has released corresponding Metasploit modules.