'Critical' security flaws identified in Cisco 220 Series Smart Switches

Cisco urges users of its Small Business 220 series of switches to update ASAP or risk corporate network compromise

Patches have been rushed out following the discovery of three 'critical' security flaws in the popular Cisco 220 Series Smart Switches.

In a security advisory published yesterday, the company advised organisations using the switches to update device firmware ASAP to prevent attacks that could compromise enterprise networks.

Cisco said that threat actors can leverage the vulnerabilities to remotely upload files, execute code, and inject commands into vulnerable devices.

All three flaws exist in the web management interface of the switches, according to Cisco, which means that device owners can also protect their devices from attacks by simply turning off the web management interface.

The first flaw, indexed as CVE-2019-1913, is a root-level remote-code execution flaw that stems from a buffer overflow. This "critical" vulnerability has a CVSS score of 9.8 out of 10 and could enable intruders to execute malicious code with root privileges. To exploit the bug, an unauthenticated attacker needs to send a simple HTTP or HTTPs request aimed at upatched switches.

The second bug, tracked as CVE-2019-1912, is an authentication bypass bug that enables attackers to upload arbitrary files to the device. It has a CVSS score of 9.1 out of 10.

Attackers can also exploit the flaw via HTTP or HTTPs requests sent through the web interface. A successful exploit would enable attackers to modify the configuration of the targeted device or to inject a reverse shell.

The third vulnerability is indexed as CVE-2019-1914 and has a CVSS score of 7.2 out of 10. This command injection bug acts more like an elevation of privilege. An attacker needs to have a legitimate web management interface login with level 15 privileges to exploit the flaw.

According to Cisco, all three bugs have been patched in device firmware version 1.1.4.4, meaning that all previous versions will be vulnerable to attacks.

Credit for the discovery of three flaws goes to VDOO, an IoT cyber-security firm, which also reported the flaws to Cisco.

Cisco networking devices are among the most targeted netowrking equipment on the internet today, largely due to their ubiquity on enterprise networks. Last year, the company rushed out a patch for a remote-code execution vulnerability that affected its Adaptive Security Appliances and was rated 10-out-of-10 for severity.

In May, security researchers uncovered the Thrangrycat security flaw in Cisco routers, firewalls and switches. This enables attackers to circumvent Cisco Trust Anchor module and perform remote code injection exploiting another root execution flaw - unless users have patched accordingly, of course.