September 23, 2023

Cisco has released patches to address security vulnerabilities in the web UI of certain Small Business Series Switches that could be exploited by an unauthenticated, remote attacker to execute arbitrary code with root  privileges or trigger a DoS condition.

Below are the vulnerability details.

  • CVE-2023-20159 with a CVSS score: 9.8 – Small Business Series Switches Stack Buffer Overflow Vulnerability
  • CVE-2023-20160 with a CVSS score: 9.8 – Small Business Series Switches Unauthenticated BSS Buffer Overflow Vulnerability
  • CVE-2023-20161 with a CVSS score: 9.8 – Small Business Series Switches Unauthenticated Stack Buffer Overflow Vulnerability
  • CVE-2023-20189 with a CVSS score: 9.8 – Small Business Series Switches Unauthenticated Stack Buffer Overflow Vulnerability
  • CVE-2023-20024 with a CVSS score: 8.6 – Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
  • CVE-2023-20156 with a CVSS score: 8.6 – Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
  • CVE-2023-20157 with a CVSS score: 8.6 – Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
  • CVE-2023-20158 with a CVSS score: 8.6 – Cisco Small Business Series Switches Unauthenticated Denial-of-Service Vulnerability
  • CVE-2023-20162 with a CVSS score: 7.5 – Cisco Small Business Series Switches Unauthenticated Configuration Reading Vulnerability

There are no workarounds to address these vulnerabilities. An attacker could exploit these vulnerabilities by sending a crafted request through the web-based user interface.These vulnerabilities are not dependent on one another, this means the exploitation of one of them is not required to exploit another flaw.

Advertisements

These vulnerabilities impact the following Cisco Small Business Switches:

  • 250 Series Smart Switches
  • 350 Series Managed Switches
  • 350X Series Stackable Managed Switches
  • 550X Series Stackable Managed Switches
  • Business 250 Series Smart Switches
  • Business 350 Series Managed Switches
  • Small Business 200 Series Smart Switches
  • Small Business 300 Series Managed Switches
  • Small Business 500 Series Stackable Managed Switches

Cisco also confirmed that these vulnerabilities do not impact the following Cisco products:

  • 220 Series Smart Switches
  • Business 220 Series Smart Switches

The vendor states that it will not release firmware updates to address the above vulnerabilities in EoL products Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, and Small Business 500 Series Stackable Managed Switches:

Cisco PSIRT is aware that the proof-of-concept exploit code is available for the above vulnerabilities. The PSIRT is not aware of attacks in the wild exploiting these vulnerabilities.

Leave a Reply

%d bloggers like this: