Some of the vulnerabilities could lead to complete compromise of the device as a proof of concept is publicly available. Credit: Prayitno Cisco patched several vulnerabilities this week that affect multiple models of its small business switches and could allow attackers to take full control of the devices remotely. The flaws are all located in the web-based management interface of the devices and can be exploited without authentication. While the company didn’t disclose which specific components of the web interface the flaws are located in, it noted in its advisory that the vulnerabilities are not dependent on one another and can be exploited independently.Because the flaws can be exploited without authentication, we can infer that they’re probably located in functionality that doesn’t require authentication or for which the authentication mechanism can be bypassed. The former seems more likely since none of the flaws are described as an authentication bypass. While Cisco is not yet aware of any malicious exploitation of these flaws, the company noted that proof-of-concept exploit code is already publicly available for these vulnerabilities.Attackers do need to have access to the web management interface, which can be achieved directly in cases where the management interface is exposed to the internet, or indirectly by first gaining a foothold on an internal network where a vulnerable switch is used. Cisco vulnerabilities could allow complete device compromise, denial of service, data leakageFour of the flaws are described as buffer overflows and can be exploited to achieve arbitrary code execution with root (administrative) permissions. This generally results in a complete compromise of the device. These four flaws are tracked as CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189. All are rated 9.8 out of 10 on the CVSS severity scale. Another four flaws are also described as buffer overflow conditions but can only lead to a denial-of-service condition against vulnerable devices when processing maliciously crafted requests. The flaws are tracked as CVE-2023-20156, CVE-2023-20024, CVE-2023-20157, and CVE-2023-20158 and are rated with 8.6 severity.The last flaw is described as a configuration reading error and can result in attackers reading unauthorized information from an affected device without authentication. The flaw, tracked as CVE-2023-20162 is rated with 7.5 severity (High). Upgrade to latest Cisco firmwareThe vulnerabilities impact version 2.5.9.15 and earlier of the Cisco firmware for 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches and 550X Series Stackable Managed Switches, as well as version 3.3.0.15 and earlier of the firmware of Business 250 Series Smart Switches and Business 350 Series Managed Switches. Cisco released patched firmware versions 2.5.9.16 and 3.3.0.16, respectively.The Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches and Small Business 500 Series Stackable Managed Switches are also affected, but will not receive firmware upgrades because they have reached end-of-life.The company notes that not all affected firmware versions are impacted by all the vulnerabilities, which suggests some flaws might be version-specific. Nevertheless, customers should upgrade to the latest firmware version as soon as possible as there are no known workarounds and attackers have taken an interest in Cisco devices before. Related content news Spam blocklist SORBS shuts down after over two decades The service was unsustainable but those in the email deliverability industry expressed mixed feelings about the closure. By Evan Schuman Jun 07, 2024 4 mins Email Security Antispam news analysis New RansomHub ransomware gang has ties to older Knight group File encryption malware used by RansomHub appears to be a modified variant of the Knight ransomware, also known as Cyclops. By Lucian Constantin Jun 07, 2024 4 mins Hacker Groups Ransomware Hacking feature Whitelisting explained: How it works and where it fits in a security program Whitelisting locks down computers so only approved applications can run. Is the security worth the administrative hassle? By Josh Fruhlinger and CSO Staff Jun 07, 2024 10 mins Email Security Application Security Data and Information Security interview How Amazon CISO Amy Herzog responds to cybersecurity challenges Amazon CISO for devices and advertising products and services describes how her team works with product and devops teams to ensure products are cybersecure. By David Strom Jun 07, 2024 5 mins Security Practices Vulnerabilities Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe