Cisco has released patches for nine vulnerabilities impacting its small business network switches and said that exploit code has been spotted in the wild.
The vulnerabilities have been found in the user interface (UI) of Cisco Small Business Series switches and could be exploited by attackers to execute arbitrary code on a victim’s switch, or cause a denial of service (DoS) on a business’ network.
Four of the nine vulnerabilities were rated ‘critical’ on the CVSSv3 severity scale, each receiving a near-maximum score of 9.8.
The remaining flaws received scores between 7.5 and 8.6.
The critical flaws - tracked as CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189 - stem from improper validation of requests sent through the web-based UI for the switches, which could allow an attacker to run malicious code via custom requests.
Five high-risk flaws also stem from the same UI issue and allow for individual devices to become subject to a DoS.
It’s recommended that affected organizations install the fixes as quickly as possible given the potential security risk and that exploit code exists online. There are no known workarounds that can mitigate the vulnerabilities.
Cisco did not indicate whether successful attacks have already taken place.
RELATED RESOURCE
Quantifying the public vulnerability market: 2022 edition
An analysis of vulnerability disclosures, impact severity, and product analysis
A number of Cisco’s Smart Switches, Series Managed Switches, and Series Stackable Switches are affected by the flaws with a full list available on the company’s official advisory.
Its 220 and Business 220 Series Smart Switches were found to be unaffected.
Cisco said it will not be releasing updates for the Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, or Small Business 500 Series Stackable Managed Switches as all of these products have gone end of life (EOL) and are no longer supported by updates.
EOL notices for the relevant products were published in 2018 and 2019, with businesses having had the years since to move away from the soon-to-be-obsolete switches.
Given the prevalence of Cisco’s hardware in organizations’ networks worldwide, critical vulnerabilities of this kind should be taken seriously and patched as soon as possible.
Cisco small business switches have faced security challenges in the past, with three major vulnerabilities having been found in 2019, a year that also saw the networking and enterprise cyber security firm wrangle with a flaw known as Thrangycat.
Coupled with another flaw, Thrangycat could be used to bypass Cisco’s TAm security controls and remotely seize control of a router or potentially compromise an entire network.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Cisco claims new smart switches provide next-level perimeter defenseNews Cisco’s ‘security everywhere’ mantra has just taken on new meaning with the launch of a series of smart network switches.
-
Cisco is jailbreaking AI models so you don’t have to worry about itNews Cisco's new AI Defense security solution helps organizations shore up LLM security by identifying potential flaws.
-
Cisco dispels Kraken data breach claims, insists stolen data came from old attackNews Cisco has refuted claims it has suffered a data breach after the Kraken threat group posted stolen data online.
-
Cisco patches critical flaws in Identity Services EngineNews Cisco has issued patches for a pair of critical vulnerabilities affecting its Identity Service Engine (ISE).
