Several vulnerabilities were found in Cisco’s small business switches that could allow an attacker to take remote control of the devices, according to the company. Cisco has fixed all these flaws, which are located in the web-based management interface of the devices. Hackers can exploit these issues without the need for authentication, as they have been detected in functionality where authentication is not mandatory. Cisco gave no specific details but recommended customers update to the latest firmware versions to prevent possible attacks, urging them to do so as soon as possible.

The flaws that have been identified are categorised as buffer overflows, which can be manipulated to execute arbitrary code with root permissions. This means that, when these four buffer overflow flaws (tracked as CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189) are exploited, it generally results in a complete compromise of the device. These four flaws received a 9.8 out of 10 severity rating on the CVSS scale.

Another four flaws caused by buffer overflow conditions can lead to denial-of-service against vulnerable devices while processing maliciously crafted requests. These four flaws (CVE-2023-20156, CVE-2023-20024, CVE-2023-20157, and CVE-2023-20158), which are rated at an 8.6 severity level, can be fixed by patching and updating to the correct firmware.

The final vulnerability discovered is a configuration reading error that enables hackers to read unauthorized information from affected devices without authentication. This flaw, tracked as CVE-2023-20162, is rated with a 7.5 severity level (High) and can also be updated by the implementation of the latest firmware.

To exploit these vulnerabilities, attackers must have access to the web management interface, which can be accomplished directly when the management interface is exposed to the internet, or indirectly by gaining a foothold on an internal network that uses a vulnerable switch.

It’s worth noting that the vulnerabilities affect versions 2.5.9.15 and earlier of the Cisco firmware for 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches, and 550X Series Stackable Managed Switches, as well as firmware version 3.3.0.15 and earlier for Business 250 Series Smart Switches and Business 350 Series Managed Switches. Cisco released fixed firmware versions 2.5.9.16 and 3.3.0.16, respectively, for the firmware issues, while the Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, and Small Business 500 Series Stackable Managed Switches will not receive firmware upgrades since they are nearing end-of-life.

Not all affected firmware versions are impacted by all vulnerabilities, which suggests some flaws might be version-specific. Nevertheless, customers should upgrade to the latest firmware version as soon as possible as there are no known workarounds and attackers have previously taken an interest in Cisco devices before, posing a threat to users.

Lidhja e burimit