Cisco has gone public with 10 vulnerabilities in various small business switch models, four of which are rated critical, saying that it’s aware of proof-of-concept exploit code for the bugs.
The vulnerabilities let an unauthenticated, remote attacker “execute arbitrary code with root privileges on an affected device”, or cause a denial-of-service.
“These vulnerabilities are due to improper validation of requests that are sent to the web interface," Cisco’s advisory stated.
The bugs are in the switches’ firmware release 2.5.9.15 and earlier (in the 250 series smart switches, 350 series managed switches, 350X series stackable managed switches, and 550X series stackable managed switches); and release 3.3.0.15 and earlier (in the Business 250 series smart switches and Business 350 series managed switches).
Fixed firmware is available for these devices, however the Small Business 200, 300 and 500 series switches have entered the end-of-life process and won’t be fixed.
All but two of the 10 vulnerabilities are some kind of buffer overflow.
The critical vulnerabilities are CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189 (with CVSS scores of 9.8).
CVE-2023-20158 is the denial-of-service vulnerability, is triggered by sending a crafted request to the web management interface, and is rated high (CVSS score 8.6).
In addition, CVE-2023-20162, rated high (CVSS score 7.5) allows an unauthenticated remote attacker to read configuration data.
