Some of the vulnerabilities could lead to complete compromise of the device as a proof of concept is publicly available. Credit: Prayitno Cisco patched several vulnerabilities this week that affect multiple models of its small business switches and could allow attackers to take full control of the devices remotely. The flaws are all located in the web-based management interface of the devices and can be exploited without authentication. While the company didn’t disclose which specific components of the web interface the flaws are located in, it noted in its advisory that the vulnerabilities are not dependent on one another and can be exploited independently.Because the flaws can be exploited without authentication, we can infer that they’re probably located in functionality that doesn’t require authentication or for which the authentication mechanism can be bypassed. The former seems more likely since none of the flaws are described as an authentication bypass. While Cisco is not yet aware of any malicious exploitation of these flaws, the company noted that proof-of-concept exploit code is already publicly available for these vulnerabilities.Attackers do need to have access to the web management interface, which can be achieved directly in cases where the management interface is exposed to the internet, or indirectly by first gaining a foothold on an internal network where a vulnerable switch is used. Cisco vulnerabilities could allow complete device compromise, denial of service, data leakageFour of the flaws are described as buffer overflows and can be exploited to achieve arbitrary code execution with root (administrative) permissions. This generally results in a complete compromise of the device. These four flaws are tracked as CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189. All are rated 9.8 out of 10 on the CVSS severity scale. Another four flaws are also described as buffer overflow conditions but can only lead to a denial-of-service condition against vulnerable devices when processing maliciously crafted requests. The flaws are tracked as CVE-2023-20156, CVE-2023-20024, CVE-2023-20157, and CVE-2023-20158 and are rated with 8.6 severity.The last flaw is described as a configuration reading error and can result in attackers reading unauthorized information from an affected device without authentication. The flaw, tracked as CVE-2023-20162 is rated with 7.5 severity (High). Upgrade to latest Cisco firmwareThe vulnerabilities impact version 2.5.9.15 and earlier of the Cisco firmware for 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches and 550X Series Stackable Managed Switches, as well as version 3.3.0.15 and earlier of the firmware of Business 250 Series Smart Switches and Business 350 Series Managed Switches. Cisco released patched firmware versions 2.5.9.16 and 3.3.0.16, respectively.The Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches and Small Business 500 Series Stackable Managed Switches are also affected, but will not receive firmware upgrades because they have reached end-of-life.The company notes that not all affected firmware versions are impacted by all the vulnerabilities, which suggests some flaws might be version-specific. Nevertheless, customers should upgrade to the latest firmware version as soon as possible as there are no known workarounds and attackers have taken an interest in Cisco devices before. Related content news analysis SEC rule for finance firms boosts disclosure requirements Amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers. By Evan Schuman May 17, 2024 5 mins Data Breach Financial Services Industry Data Privacy feature DDoS attacks: Definition, examples, and techniques Distributed denial of service (DDoS) attacks have been part of the criminal toolbox for over twenty years, and they’re only growing more prevalent and stronger. By Josh Fruhlinger May 17, 2024 10 mins DDoS Cyberattacks news FCC proposes BGP security measures Protecting the Border Gateway Protocol is as important as protecting the border. By Gyana Swain May 17, 2024 1 min Regulation Network Security news US AI experts targeted in cyberespionage campaign using SugarGh0st RAT Threat actors use phishing techniques to obtain non-public information about generative artificial intelligence. By Lucian Constantin May 16, 2024 4 mins Phishing Data and Information Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe