Pierluigi Paganini August 23, 2019

Cisco provided updates for security advisories for three flaws affecting Cisco Small Business 220 Series Smart Switches patched in early August.

Cisco has updated security advisories for three vulnerability in Cisco Small Business 220 Series Smart Switches that have been patched in early August. The three vulnerabilities were reported by the security researcher Pedro Ribeiro, aka ‘bashis‘, via Cisco’s VDOO Disclosure Program.

According to the Cisco Product Security Incident Response Team (PSIRT), public exploit code for these flaws is available online.

One of the vulnerabilities is critical remote code execution tracked as CVE-2019-1913, an attacker could exploit this flaw to execute arbitrary code with root privileges on the underlying operating system.

“Multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to overflow a buffer, which then allows the execution of arbitrary code with root privileges on the underlying operating system.” reads the security advisory.

“The vulnerabilities are due to insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer. An attacker could exploit these vulnerabilities by sending malicious requests to the web management interface of an affected device. Depending on the configuration of the affected switch, the malicious requests must be sent via HTTP or HTTPS.“

Another flaw is an authentication bypass security flaw tracked as CVE-2019-1912 that resides in the web management interface of Cisco Small Business 220 Series Smart Switches. The flaw could be exploited by an attacker to modify the configuration of an affected device or to inject a reverse shell.

“A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload arbitrary files.” reads the security advisory.

“The vulnerability is due to incomplete authorization checks in the web management interface. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface. Depending on the configuration of the affected switch, the malicious request must be sent via HTTP or HTTPS. A successful exploit could allow the attacker to modify the configuration of an affected device or to inject a reverse shell.”

The third flaw is a command injection vulnerability tracked as CVE-2019-1914 that could be exploited by an authenticated, remote attackers launch a command injection attack.

The good news is that Cisco is not aware of attacks exploiting the above issues.

“The Cisco Product Security Incident Response Team (PSIRT) is aware of the existence of public exploit code. Cisco PSIRT is not aware of malicious use of the vulnerability that is described in this advisory.” states Cisco.

Cisco also released security patches to address 17 critical and high-severity vulnerabilities affecting some Cisco Unified Computing products (UCS) and Integrated Management Controller (IMC).

Also for these flaws, Cisco confirmed it is not aware of attacks in the wild that have exploited them.

Pierluigi Paganini

(SecurityAffairs – Cisco Small Business, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]