Critical fixed critical flaws in Cisco Small Business Switches

May 18, 2023  By Pierluigi Paganini


Cisco fixed nine flaws in its Small Business Series Switches that could be exploited to execute arbitrary code or cause a DoS condition.

Cisco has released security updates to address nine security vulnerabilities in the web-based user interface of certain Small Business Series Switches that could be exploited by an unauthenticated, remote attacker to execute arbitrary code with root privileges or trigger a denial-of-service (DoS) condition.

“Multiple vulnerabilities in the web-based user interface of certain Cisco Small Business Series Switches could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code with root privileges on an affected device.” reads the advisory published by Cisco. “These vulnerabilities are due to improper validation of requests that are sent to the web interface.”

There are no workarounds to address these vulnerabilities. These vulnerabilities impact the following Cisco Small Business Switches:

  • 250 Series Smart Switches
  • 350 Series Managed Switches
  • 350X Series Stackable Managed Switches
  • 550X Series Stackable Managed Switches
  • Business 250 Series Smart Switches
  • Business 350 Series Managed Switches
  • Small Business 200 Series Smart Switches
  • Small Business 300 Series Managed Switches
  • Small Business 500 Series Stackable Managed Switches

The IT giant confirmed that these vulnerabilities do not impact the following Cisco products:

  • 220 Series Smart Switches
  • Business 220 Series Smart Switches

The vulnerabilities are not dependent on one another, this means the exploitation of one of them is not required to exploit another flaw.

A brief description of each of the flaws is as follows –

  • CVE-2023-20159 (CVSS score: 9.8): Small Business Series Switches Stack Buffer Overflow Vulnerability
  • CVE-2023-20160 (CVSS score: 9.8): Small Business Series Switches Unauthenticated BSS Buffer Overflow Vulnerability
  • CVE-2023-20161 (CVSS score: 9.8): Small Business Series Switches Unauthenticated Stack Buffer Overflow Vulnerability
  • CVE-2023-20189 (CVSS score: 9.8): Small Business Series Switches Unauthenticated Stack Buffer Overflow Vulnerability
  • CVE-2023-20024 (CVSS score: 8.6): Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
  • CVE-2023-20156 (CVSS score: 8.6): Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
  • CVE-2023-20157 (CVSS score: 8.6): Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
  • CVE-2023-20158 (CVSS score: 8.6): Cisco Small Business Series Switches Unauthenticated Denial-of-Service Vulnerability
  • CVE-2023-20162 (CVSS score: 7.5): Cisco Small Business Series Switches Unauthenticated Configuration Reading Vulnerability

An attacker could exploit these vulnerabilities by sending a crafted request through the web-based user interface.

The vendor states that it will not release firmware updates to address the above vulnerabilities in EoL products Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, and Small Business 500 Series Stackable Managed Switches:

The company Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the above vulnerabilities. The PSIRT is not aware of attacks in the wild exploiting these vulnerabilities.

With Cisco devices becoming a lucrative attack vector for threat actors, users are recommended to move quickly to apply the patches to mitigate potential threats.

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, switch)



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

Ukraine, Ireland, Japan and Iceland join NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE)

 The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) announced that Ukraine, Ireland, Japan and Iceland joined...