Critical remote code execution flaws patched in Cisco small business switches

Cisco patched several vulnerabilities this week that affect multiple models of its small business switches and could allow attackers to take full control of the devices remotely. The flaws are all located in the web-based management interface of the devices and can be exploited without authentication. While the company didn’t disclose which specific components of the web interface the flaws are located in, it noted in its advisory that the vulnerabilities are not dependent on one another and can be exploited independently.

Because the flaws can be exploited without authentication, we can infer that they’re probably located in functionality that doesn’t require authentication or for which the authentication mechanism can be bypassed. The former seems more likely since none of the flaws are described as an authentication bypass. While Cisco is not yet aware of any malicious exploitation of these flaws, the company noted that proof-of-concept exploit code is already publicly available for these vulnerabilities.

Attackers do need to have access to the web management interface, which can be achieved directly in cases where the management interface is exposed to the internet, or indirectly by first gaining a foothold on an internal network where a vulnerable switch is used.

Cisco vulnerabilities could allow complete device compromise, denial of service, data leakage

Four of the flaws are described as buffer overflows and can be exploited to achieve arbitrary code execution with root (administrative) permissions. This generally results in a complete compromise of the device.

These four flaws are tracked as CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189. All are rated 9.8 out of 10 on the CVSS severity scale. Another four flaws are also described as buffer overflow conditions but can only lead to a denial-of-service condition against vulnerable devices when processing maliciously crafted requests. The flaws are tracked as CVE-2023-20156, CVE-2023-20024, CVE-2023-20157, and CVE-2023-20158 and are rated with 8.6 severity.

The last flaw is described as a configuration reading error and can result in attackers reading unauthorized information from an affected device without authentication. The flaw, tracked as CVE-2023-20162 is rated with 7.5 severity (High).

Upgrade to latest Cisco firmware

The vulnerabilities impact version 2.5.9.15 and earlier of the Cisco firmware for 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches and 550X Series Stackable Managed Switches, as well as version 3.3.0.15 and earlier of the firmware of Business 250 Series Smart Switches and Business 350 Series Managed Switches. Cisco released patched firmware versions 2.5.9.16 and 3.3.0.16, respectively.

The Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches and Small Business 500 Series Stackable Managed Switches are also affected, but will not receive firmware upgrades because they have reached end-of-life.

The company notes that not all affected firmware versions are impacted by all the vulnerabilities, which suggests some flaws might be version-specific. Nevertheless, customers should upgrade to the latest firmware version as soon as possible as there are no known workarounds and attackers have taken an interest in Cisco devices before.