CONFERENCE Cyber AI & Automation Summit - NOW LIVE
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Cisco Patches Critical Flaws in Network Switches

Cisco this week released patches to address several vulnerabilities in its Small Business 220 Series Smart Switches, including two bugs rated Critical severity.

Cisco this week released patches to address several vulnerabilities in its Small Business 220 Series Smart Switches, including two bugs rated Critical severity.

The most important of these issues could allow an unauthenticated, remote attacker to execute arbitrary code with root privileges on the underlying operating system.

Tracked as CVE-2019-1913 and featuring a CVSS score of 9.8, the flaw consists of multiple vulnerabilities in the web management interface of the smart switches. 

“The vulnerabilities are due to insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer. An attacker could exploit these vulnerabilities by sending malicious requests to the web management interface of an affected device,” Cisco explains.

The requests must be sent via HTTP or HTTPS, depending on the configuration of the vulnerable switch. 

Tracked as CVE-2019-1912 and featuring a CVSS score of 9.1, the second Critical vulnerability in the Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload arbitrary files.

The issue is due to incomplete authorization checks in the web management interface. An attacker looking to exploit the bug needs to send a malicious request to certain parts of the interface. The attacker could then modify the configuration of the affected device or inject a reverse shell.

Cisco also addressed a Medium risk vulnerability in the Small Business 220 Series Smart Switches. Tracked as CVE-2019-1914 and featuring a CVSS score of 7.2, the security flaw could allow an authenticated, remote attacker to perform a command injection.

Advertisement. Scroll to continue reading.

The issue is caused by the improper validation of user-supplied input. An attacker with a valid login session as a privilege level 15 user could exploit the bug by sending a malicious request to certain parts of the web management interface.

The bugs were found to impact Small Business 220 Series Smart Switches running firmware versions older than 1.1.4.4, with the web management interface enabled. Cisco has released patches to address all of these issues. 

Additionally, the company released a security fix for a cross-site scripting (XSS) vulnerability discovered in the web-based management interface of Identity Services Engine (ISE). The issue was found to impact Cisco ISE running software releases prior to 2.4.0 Patch 9.

Tracked as CVE-2019-1941 and featuring a CVSS score of 6.1, the vulnerability could be exploited by an unauthenticated, remote attacker who can persuade a user to click a malicious link. If successful, the attacker could execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Cisco says it is not aware of any public announcements or malicious use of these vulnerabilities. 

Related: Critical Flaws Found in Cisco Data Center Network Manager

Related: Cisco Patches Critical Vulnerability in Data Center Switches

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Video platform Vimeo has appointed Ryan Weeks as Chief Information Security Officer.

LPL Financial has welcomed Renana Friedlich as Chief Information Security Officer.

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.