Cisco this week released patches to address several vulnerabilities in its Small Business 220 Series Smart Switches, including two bugs rated Critical severity.
The most important of these issues could allow an unauthenticated, remote attacker to execute arbitrary code with root privileges on the underlying operating system.
Tracked as CVE-2019-1913 and featuring a CVSS score of 9.8, the flaw consists of multiple vulnerabilities in the web management interface of the smart switches.
“The vulnerabilities are due to insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer. An attacker could exploit these vulnerabilities by sending malicious requests to the web management interface of an affected device,” Cisco explains.
The requests must be sent via HTTP or HTTPS, depending on the configuration of the vulnerable switch.
Tracked as CVE-2019-1912 and featuring a CVSS score of 9.1, the second Critical vulnerability in the Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload arbitrary files.
The issue is due to incomplete authorization checks in the web management interface. An attacker looking to exploit the bug needs to send a malicious request to certain parts of the interface. The attacker could then modify the configuration of the affected device or inject a reverse shell.
Cisco also addressed a Medium risk vulnerability in the Small Business 220 Series Smart Switches. Tracked as CVE-2019-1914 and featuring a CVSS score of 7.2, the security flaw could allow an authenticated, remote attacker to perform a command injection.
The issue is caused by the improper validation of user-supplied input. An attacker with a valid login session as a privilege level 15 user could exploit the bug by sending a malicious request to certain parts of the web management interface.
The bugs were found to impact Small Business 220 Series Smart Switches running firmware versions older than 188.8.131.52, with the web management interface enabled. Cisco has released patches to address all of these issues.
Additionally, the company released a security fix for a cross-site scripting (XSS) vulnerability discovered in the web-based management interface of Identity Services Engine (ISE). The issue was found to impact Cisco ISE running software releases prior to 2.4.0 Patch 9.
Tracked as CVE-2019-1941 and featuring a CVSS score of 6.1, the vulnerability could be exploited by an unauthenticated, remote attacker who can persuade a user to click a malicious link. If successful, the attacker could execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
Cisco says it is not aware of any public announcements or malicious use of these vulnerabilities.