Cisco fixes critical bugs in Small Business Series switches

Proof-of-concept exploit codes are available

Cisco has warned customers using some of its small business switches about four critical vulnerabilities that a remote attacker could leverage to run arbitrary code with root privileges on affected devices.

Each of the four remote code execution (RCE) flaws have nearly the highest CVSS severity ratings, scoring 9.8 out of 10.

Cisco says an unauthenticated, remote attacker could use the weaknesses to execute arbitrary code with root privileges on an affected device.

The vulnerabilities (CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189) stem from inadequate validation of requests sent to the targeted switches' web interfaces.

An attacker can exploit these vulnerabilities by sending a crafted request through the web-based UI.

Cisco has clarified that these vulnerabilities are independent of each other, meaning that exploiting one does not rely on exploiting another.

The bugs are present in firmware release 2.5.9.15 and earlier versions of the following switches:

• 250 Series smart switches
• 350 Series managed switches
• 350X Series stackable managed switches
• 550X Series stackable managed switches

The vulnerabilities have been resolved in firmware version 2.5.9.16.

The vulnerabilities also impact release 3.3.0.15 and earlier versions of the Business 250 Series smart switches and Business 350 Series managed switches. Cisco has addressed these bugs in the firmware update version 3.3.0.16, providing the necessary fixes.

Although the Small Business 200, 300 and 500 Series switches are also affected by these vulnerabilities, Cisco has said firmware patches will not be provided for these devices as they have already entered the end-of-life process.

The Cisco Product Security Incident Response Team (PSIRT) has confirmed that proof-of-concept exploit code is available for these security flaws, which raises the potential for active exploitation if motivated threat actors choose to create their own exploits.

However, as of now, Cisco's PSIRT has not discovered any evidence indicating the flaws are being used in actual attacks.

Six additional vulnerabilities

On Wednesday, Cisco disclosed five other vulnerabilities: CVE-2023-20024, CVE-2023-20156, CVE-2023-20157, CVE-2023-20158 and CVE-2023-20162.

These bugs also exist in the Cisco Small Business Series switches' web-based UI.

The first four could allow an unauthenticated, remote attacker to trigger a denial-of-service (DoS) condition on an affected device. The fifth (CVE-2023-20162) could be used to access unauthorised information on an affected device.

Cisco is also developing a patch for a cross-site scripting (XSS) vulnerability discovered in its Prime Collaboration Deployment (PCD) server management tool last month.

Tracked as CVE-2023-20060, this XSS bug was identified in the web-based management interface of Cisco PCD versions 14 and earlier.

The vulnerability was reported by Pierre Vivegnis from NATO's Cyber Security Centre (NCSC).

The PCD server management utility is used by administrators to carry out migration or upgrade tasks on servers listed in their organisation's inventory.

"A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information," Cisco said in April.

The Cisco PSIRT said at the time that it had not discovered any evidence of malicious exploitation of CVE-2023-20060 in real-world incidents.

Furthermore, the team is unaware of any publicly available exploit code specifically targeting this vulnerability.

Cisco has patched other Small Business products this year, notably the RV Series routers in February. Attackers could use those vulnerabilities to carry out actions including RCE and unauthorised access to corporate networks, often without requiring authentication.