Cisco fixes critical flaws in Small Business Series Switches

Nine vulnerabilities – 4 of them critical – have been found in a variety of Cisco Small Business Series Switches.

PoC exploit code is available (but not public), and there is no indication that they are being exploited in the wild.

About the vulnerabilities

The critical vulnerabilties (CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, CVE-2023-20189) can be triggered via the switches’ web-based user interface, and may enable a remote attacker without authentication to run arbitrary code on a vulnerable device.

The source of all nine flaws is the improper validation of requests that are sent to the web interface, meaning that a specially crafted malicious request may be executed.

The remaining five vulnerabilities are high-risk, and allow attackers either to trigger denial of service (DoS) or read unauthorized information on an affected device.

All nine vulnerabilities have been reported by an anonymous external researcher, and it’s likely that the PoCs have also been privately shared by the same individual.

“The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability,” Cisco noted in the security advisory..

“In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.”

Update the firmware or retire devices

The following devices are affected:

  • 250 Series Smart Switches
  • 350 Series Managed Switches
  • 350X Series Stackable Managed Switches
  • 550X Series Stackable Managed Switches
  • Business 250 Series Smart Switches
  • Business 350 Series Managed Switches
  • Small Business 200 Series Smart Switches
  • Small Business 300 Series Managed Switches
  • Small Business 500 Series Stackable Managed Switches

220 Series Smart Switches and Business 220 Series Smart Switches are not affected.

There are no workarounds to fix the vulnerabilties.

Cisco has released software updates to fix these vulnerabilities, but not for devices that have entered the end-of-life process: 200, 300 and 500 Series Small Business Switches.

Don't miss