Cisco has launched updates to deal with a set of 9 safety flaws in its Small Enterprise Collection Switches that could possibly be exploited by an unauthenticated, distant attacker to run arbitrary code or trigger a denial-of-service (DoS) situation.
“These vulnerabilities are attributable to improper validation of requests which are despatched to the online interface,” Cisco mentioned, crediting an unnamed exterior researcher for reporting the problems.
4 of the 9 vulnerabilities are rated 9.8 out of 10 on the CVSS scoring system, making them important in nature. The 9 flaws have an effect on the next product strains –
- 250 Collection Good Switches (Fastened in firmware model 2.5.9.16)
- 350 Collection Managed Switches (Fastened in firmware model 2.5.9.16)
- 350X Collection Stackable Managed Switches (Fastened in firmware model 2.5.9.16)
- 550X Collection Stackable Managed Switches (Fastened in firmware model 2.5.9.16)
- Enterprise 250 Collection Good Switches (Fastened in firmware model 3.3.0.16)
- Enterprise 350 Collection Managed Switches (Fastened in firmware model 3.3.0.16)
- Small Enterprise 200 Collection Good Switches (Is not going to be patched)
- Small Enterprise 300 Collection Managed Switches (Is not going to be patched)
- Small Enterprise 500 Collection Stackable Managed Switches (Is not going to be patched)
A short description of every of the issues is as follows –
- CVE-2023-20159 (CVSS rating: 9.8): Cisco Small Enterprise Collection Switches Stack Buffer Overflow Vulnerability
- CVE-2023-20160 (CVSS rating: 9.8): Cisco Small Enterprise Collection Switches Unauthenticated BSS Buffer Overflow Vulnerability
- CVE-2023-20161 (CVSS rating: 9.8): Cisco Small Enterprise Collection Switches Unauthenticated Stack Buffer Overflow Vulnerability
- CVE-2023-20189 (CVSS rating: 9.8): Cisco Small Enterprise Collection Switches Unauthenticated Stack Buffer Overflow Vulnerability
- CVE-2023-20024 (CVSS rating: 8.6): Cisco Small Enterprise Collection Switches Unauthenticated Heap Buffer Overflow Vulnerability
- CVE-2023-20156 (CVSS rating: 8.6): Cisco Small Enterprise Collection Switches Unauthenticated Heap Buffer Overflow Vulnerability
- CVE-2023-20157 (CVSS rating: 8.6): Cisco Small Enterprise Collection Switches Unauthenticated Heap Buffer Overflow Vulnerability
- CVE-2023-20158 (CVSS rating: 8.6): Cisco Small Enterprise Collection Switches Unauthenticated Denial-of-Service Vulnerability
- CVE-2023-20162 (CVSS rating: 7.5): Cisco Small Enterprise Collection Switches Unauthenticated Configuration Studying Vulnerability
Profitable exploitation of the aforementioned bugs might allow an unauthenticated, distant attacker to execute arbitrary code with root privileges on an affected machine by sending a specifically crafted request by the web-based consumer interface.
Alternatively, they may be abused to set off a DoS situation or learn unauthorized data on weak techniques by way of a malicious request.
Zero Belief + Deception: Study Learn how to Outsmart Attackers!
Uncover how Deception can detect superior threats, cease lateral motion, and improve your Zero Belief technique. Be a part of our insightful webinar!
Save My Seat!
Cisco mentioned it doesn’t plan to launch firmware updates for Small Enterprise 200 Collection Good Switches, Small Enterprise 300 Collection Managed Switches, Small Enterprise 500 Collection Stackable Managed Switches as they’ve entered the end-of-life course of.
The networking tools main additionally mentioned it is conscious of the provision of a proof-of-concept (PoC) exploit code, however famous that it didn’t observe any proof of malicious exploitation within the wild.
With Cisco units turning into a profitable assault vector for risk actors, customers are beneficial to maneuver shortly to use the patches to mitigate potential threats.