Cisco squashes critical bugs in small biz switches

Cisco rolled out patches for four critical security vulnerabilities in several of its network switches for small businesses that can be exploited to remotely hijack the equipment.

Specifically, the flaws in the web user interface can be used to run arbitrary code with root privileges.

The networking giant this week said in an advisory that organizations with service contracts that include regular software updates should get fixes for the security holes through their usual update channels. Those with valid licenses from Cisco or third parties can get them through maintenance upgrades.

Either way, they should get the systems updated. According to Cisco's Product Security Incident Response Team (PSIRT}, there is proof-of-concept exploit code out there that would help attackers develop full attacks against vulnerable devices.

However, the Cisco group "is not aware of any malicious use of the vulnerabilities that are described in this advisory," the company wrote.

Patching the switches are the only way to protect them. There are no workarounds for the problem, Cisco wrote.

The four security flaws are tracked as CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189 and all carry CVSS severity ratings of 9.8 out of 10.

All are caused by improper validation of requests sent to the targeted switches' web interfaces.

• Don't turn it off and on again: Expired Cisco cert cripples vEdge SD-WAN kit
• Cisco to manufacture telecoms gear in India – but not much and not soon
• Cisco: Don't use 'blind spot' – and do use 'feed two birds with one scone'
• Dump these insecure phone adapters because we're not fixing them, says Cisco

"An attacker could exploit this vulnerability by sending a crafted request through the web-based user interface," according to Cisco for each of them. "A successful exploit could allow the attacker to execute arbitrary code with root privileges on an affected device."

That means if you can get to the web control panel of the equipment, and exploit the holes in them, you can remotely take over the switch, and make it do whatever you want.

The switches affected by the vulnerabilities include the 250 Series smart switches, 350 Series managed switches, and 350X Series and 550X stackable managed switches. All were fixed in firmware version 2.5.9.16. Also impacted were Business 250 Series smart switches and Business 350 Series managed switches, which were fixed in firmware 3.3.0.16.

Three other switches – Small Business 200 Series smart switches, Small Business 300 Series managed switches, and Small Business 500 Series stackable managed switches – also were affected by the bugs but won't be patched because they are reaching their end-of-life.

The advisory also covers other exploitable bugs in the Small Business Series, such as heap buffer overflows that can lead to crashes, and a configuration reading hole.

"Cisco would like to thank the external researcher who reported these vulnerabilities," the manufacturer added.

The alert for the small business switches came out the same time as several other notices were issued for less severe problems for other Cisco products, including in the IOS XE ROM monitor (ROMMON) software for the vendor's Catalyst switches.

The vulnerability – which has a CVSS medium score of 4.6 out of 10 – is in the password-recovery disable feature of the switch software that, if exploited, could enable a local attacker to recover the configuration, read any file, or reset the enable password.

"This vulnerability is due to a problem with the file and boot variable permissions in ROMMON," Cisco's said in the advisory, which was first issued in September and just updated. "An attacker could exploit this vulnerability by rebooting the switch into ROMMON and entering specific commands through the console."

The flaw affected switches in seven Catalyst families: the 3600, 3800, and the 9200 through 9600 series. ®