Critical Flaws in Cisco Small Business Switches Could Allow Remote Attacks

May 18, 2023Ravi LakshmananNetwork security/vulnerability

Cisco has released updates that address nine security flaws present in Small Business Series switches. These flaws can be exploited by an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition.

“These vulnerabilities are due to improper validation of requests sent to the web interface,” Cisco said, acknowledging an anonymous outside researcher who reported the issue.

Four of the nine vulnerabilities are rated 9.8 out of 10 on the CVSS scoring system and are critical in nature. Nine defects affect the following product lines:

• 250 Series Smart Switch (fixed in firmware version 2.5.9.16)
• 350 Series Managed Switches (fixed in firmware version 2.5.9.16)
• 350X Series Stackable Managed Switches (fixed in firmware version 2.5.9.16)
• 550X Series Stackable Managed Switches (fixed in firmware version 2.5.9.16)
• Business 250 Series Smart Switch (fixed in firmware version 3.3.0.16)
• Business 350 Series Managed Switches (fixed in firmware version 3.3.0.16)
• Small Business 200 Series Smart Switch (not patched)
• Small Business 300 Series Managed Switches (not patched)
• Small Business 500 Series Stackable Managed Switch (not patched)

A brief description of each flaw follows:

• CVE-2023-20159 (CVSS Score: 9.8): Cisco Small Business Series Switches Stack Buffer Overflow Vulnerability
• CVE-2023-20160 (CVSS Score: 9.8): Unauthenticated BSS Buffer Overflow Vulnerability in Cisco Small Business Series Switches
• CVE-2023-20161 (CVSS Score: 9.8): Unauthenticated Stack Buffer Overflow Vulnerability in Cisco Small Business Series Switches
• CVE-2023-20189 (CVSS Score: 9.8): Unauthenticated Stack Buffer Overflow Vulnerability in Cisco Small Business Series Switches
• CVE-2023-20024 (CVSS Score: 8.6): Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
• CVE-2023-20156 (CVSS Score: 8.6): Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
• CVE-2023-20157 (CVSS Score: 8.6): Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
• CVE-2023-20158 (CVSS Score: 8.6): Unauthenticated Denial of Service Vulnerability in Cisco Small Business Series Switches
• CVE-2023-20162 (CVSS Score: 7.5): Unauthenticated Configuration Reading Vulnerability in Cisco Small Business Series Switches

Successful exploitation of the aforementioned bug allows an unauthenticated, remote attacker to gain arbitrary root privileges on the affected device by sending specially crafted requests via a web-based user interface. may execute code.

Alternatively, it can be exploited by malicious requests to cause DoS conditions or read unauthorized information on vulnerable systems.

Cisco said it has no plans to release firmware updates for its Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, and Small Business 500 Series Stackable Managed Switches as they are in the end-of-life process.

The network equipment giant also said it was aware of proof-of-concept (PoC) exploit code available, but said it had observed no evidence of malicious exploits in the wild.

As Cisco devices have become a lucrative attack vector for threat actors, users are encouraged to patch promptly to mitigate potential threats.