A researcher has identified several vulnerabilities, including ones that have been rated high severity, in Cisco’s Small Business 220 series smart switches. The networking giant this week informed customers about the availability of patches for these flaws.
The vulnerabilities were discovered by security researcher Jasper Lievisse Adriaanse, and they impact switches that run firmware versions earlier than 18.104.22.168 and have the web-based management interface enabled — the interface is enabled by default.
In an advisory released this week, Cisco said Lievisse Adriaanse found four types of security holes in the small business switches.
One of them, tracked as CVE-2021-1542 and rated high severity, can be exploited by a remote, unauthenticated attacker to hijack a user’s session and gain access to the switch’s web interface. Depending on the privileges of the targeted user, the attacker could gain admin-level access to the management interface.
Another high-severity issue is CVE-2021-1541, which allows a remote attacker with admin permissions on the device to execute arbitrary commands with root privileges on the underlying operating system.
Lievisse Adriaanse told SecurityWeek that while he hasn’t tested this, it may be possible for an attacker to chain these two vulnerabilities.
The other two flaws found by the researcher, both classified as medium severity by Cisco, could allow a remote, unauthenticated attacker to launch XSS attacks (CVE-2021-1543) or HTML injection attacks (CVE-2021-1571).
“[In the case of the] XSS flaw, the vector which I tested and verified was by exploiting a vulnerability in how certain packets which are only valid on the same L2 domain are parsed,” Lievisse Adriaanse explained.
Asked about a worst case theoretical attack scenario involving these vulnerabilities, the researcher said, “Theoretically speaking, the worst case scenario is someone on the same L2 domain performs the XSS attack and obtains administrative privileges (or pull off the authentication bypass) and while at it they could gain root on the underlying OS. I guess you could set up a span port and MiTM all traffic going through the switch, or perhaps find a way to gain persistence. With administrative access to the web interface and root on the underlying minimal Linux system the options are abundant.”
The researcher said that while he hasn’t checked, the impacted switches should not be directly exposed to the internet.
Cisco this week also announced patches for high-severity flaws affecting AnyConnect Secure Mobility Client for Windows (DLL hijacking by authenticated attacker), DNA Center (unauthenticated attacker can view and alter sensitive information), and Email Security and Web Security appliances (unauthenticated attacker can intercept traffic).