A researcher has identified several vulnerabilities, including ones that have been rated high severity, in Cisco’s Small Business 220 series smart switches. The networking giant this week informed customers about the availability of patches for these flaws.
The vulnerabilities were discovered by security researcher Jasper Lievisse Adriaanse, and they impact switches that run firmware versions earlier than 1.2.0.6 and have the web-based management interface enabled — the interface is enabled by default.
In an advisory released this week, Cisco said Lievisse Adriaanse found four types of security holes in the small business switches.
One of them, tracked as CVE-2021-1542 and rated high severity, can be exploited by a remote, unauthenticated attacker to hijack a user’s session and gain access to the switch’s web interface. Depending on the privileges of the targeted user, the attacker could gain admin-level access to the management interface.
Another high-severity issue is CVE-2021-1541, which allows a remote attacker with admin permissions on the device to execute arbitrary commands with root privileges on the underlying operating system.
Lievisse Adriaanse told SecurityWeek that while he hasn’t tested this, it may be possible for an attacker to chain these two vulnerabilities.
The other two flaws found by the researcher, both classified as medium severity by Cisco, could allow a remote, unauthenticated attacker to launch XSS attacks (CVE-2021-1543) or HTML injection attacks (CVE-2021-1571).
“[In the case of the] XSS flaw, the vector which I tested and verified was by exploiting a vulnerability in how certain packets which are only valid on the same L2 domain are parsed,” Lievisse Adriaanse explained.
He added, “It should be possible, if you’re on the same L2 domain, to perform the XSS attack through CVE-2021-1543, obtain the CSRF token and perform arbitrary actions as the logged in user. As I don’t write a lot of Javascript I didn’t attempt to write a payload to subsequently exploit CVE-2021-1541. Note however that due to lacking Content-Security-Policy headers you can use CVE-2021-1543 to include remote Javascript code. So you’re not limited by the packet size of the abused L2 protocol. I guess with enough experience and determination one could concoct a payload to do anything in the UI.”
Asked about a worst case theoretical attack scenario involving these vulnerabilities, the researcher said, “Theoretically speaking, the worst case scenario is someone on the same L2 domain performs the XSS attack and obtains administrative privileges (or pull off the authentication bypass) and while at it they could gain root on the underlying OS. I guess you could set up a span port and MiTM all traffic going through the switch, or perhaps find a way to gain persistence. With administrative access to the web interface and root on the underlying minimal Linux system the options are abundant.”
The researcher said that while he hasn’t checked, the impacted switches should not be directly exposed to the internet.
Cisco this week also announced patches for high-severity flaws affecting AnyConnect Secure Mobility Client for Windows (DLL hijacking by authenticated attacker), DNA Center (unauthenticated attacker can view and alter sensitive information), and Email Security and Web Security appliances (unauthenticated attacker can intercept traffic).
Related: Several High-Severity Vulnerabilities Expose Cisco Firewalls to Remote Attacks
Related: Several Cisco Products Exposed to DoS Attacks Due to Snort Vulnerability