Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Cisco Patches Critical Flaws in Network Switches

Cisco this week released patches to address several vulnerabilities in its Small Business 220 Series Smart Switches, including two bugs rated Critical severity.

Cisco this week released patches to address several vulnerabilities in its Small Business 220 Series Smart Switches, including two bugs rated Critical severity.

The most important of these issues could allow an unauthenticated, remote attacker to execute arbitrary code with root privileges on the underlying operating system.

Tracked as CVE-2019-1913 and featuring a CVSS score of 9.8, the flaw consists of multiple vulnerabilities in the web management interface of the smart switches. 

“The vulnerabilities are due to insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer. An attacker could exploit these vulnerabilities by sending malicious requests to the web management interface of an affected device,” Cisco explains.

The requests must be sent via HTTP or HTTPS, depending on the configuration of the vulnerable switch. 

Tracked as CVE-2019-1912 and featuring a CVSS score of 9.1, the second Critical vulnerability in the Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload arbitrary files.

The issue is due to incomplete authorization checks in the web management interface. An attacker looking to exploit the bug needs to send a malicious request to certain parts of the interface. The attacker could then modify the configuration of the affected device or inject a reverse shell.

Cisco also addressed a Medium risk vulnerability in the Small Business 220 Series Smart Switches. Tracked as CVE-2019-1914 and featuring a CVSS score of 7.2, the security flaw could allow an authenticated, remote attacker to perform a command injection.

The issue is caused by the improper validation of user-supplied input. An attacker with a valid login session as a privilege level 15 user could exploit the bug by sending a malicious request to certain parts of the web management interface.

The bugs were found to impact Small Business 220 Series Smart Switches running firmware versions older than 1.1.4.4, with the web management interface enabled. Cisco has released patches to address all of these issues. 

Additionally, the company released a security fix for a cross-site scripting (XSS) vulnerability discovered in the web-based management interface of Identity Services Engine (ISE). The issue was found to impact Cisco ISE running software releases prior to 2.4.0 Patch 9.

Tracked as CVE-2019-1941 and featuring a CVSS score of 6.1, the vulnerability could be exploited by an unauthenticated, remote attacker who can persuade a user to click a malicious link. If successful, the attacker could execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Cisco says it is not aware of any public announcements or malicious use of these vulnerabilities. 

Related: Critical Flaws Found in Cisco Data Center Network Manager

Related: Cisco Patches Critical Vulnerability in Data Center Switches

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.