Pierluigi Paganini August 08, 2019

Cisco has released security updates to address several vulnerabilities in Cisco Small Business 220 Series Smart Switches.

Cisco released security updates to address several vulnerabilities in Cisco Small Business 220 Series Smart Switches, including two critical issues.

The most important flaw, tracked as CVE-2019-1913, could be exploited by an unauthenticated, remote attacker to execute arbitrary code with root privileges.

The CVE-2019-1913 code was used to identify several flaws that reside in the web management interface of the smart switches. The CVE-2019-1913 received a CVSS score of 9.8.

“Multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to overflow a buffer, which then allows the execution of arbitrary code with root privileges on the underlying operating system.” reads the advisory published by Cisco.

“The vulnerabilities are due to insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer. An attacker could exploit these vulnerabilities by sending malicious requests to the web management interface of an affected device,”

An attacker can exploit the flaws by sending specially crafted requests to the switches via HTTP or HTTPS, depending on the configuration of the device.

The second critical flaw, tracked as CVE-2019-1912, affects the Cisco Small Business 220 Series Smart Switches.

The flaw received a CVSS score of 9.1, it could be exploited by an unauthenticated, remote attacker to upload arbitrary files.

The issue is caused by incomplete authorization checks in the web management interface. An attacker could exploit the vulnerability by sending a specially-crafted request to certain parts of the web management interface. The exploitation of the flaw could allow the attacker to modify the configuration of a vulnerable switch or to inject a reverse shell.

“A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload arbitrary files.” reads the advisory.

“The vulnerability is due to incomplete authorization checks in the web management interface. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface. Depending on the configuration of the affected switch, the malicious request must be sent via HTTP or HTTPS. “

Cisco also addressed a Medium severity flaw, tracked as CVE-2019-1914, in Cisco Small Business 220 Series Smart Switches. The flaw received a CVSS score of 7.2, and could be exploited by an authenticated, remote attacker to perform command injection.

“The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface. To send the malicious request, the attacker needs a valid login session in the web management interface as a privilege level 15 user.” reads the advisory. “Depending on the configuration of the affected switch, the malicious request must be sent via HTTP or HTTPS. A successful exploit could allow the attacker to execute arbitrary shell commands with the privileges of the root user. “

The vulnerabilities affect Cisco Small Business 220 Series Smart Switches running firmware versions prior than 1.1.4.4, with the web management interface enabled.

Cisco confirmed that it is not aware of any attacks in the wild exploiting these vulnerabilities. 

Pierluigi Paganini

(SecurityAffairs – Cisco Small Business 220, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]