Threat Intelligence Blog

Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.

Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Advisory 22 May 2023 – Nine Security Flaws Patched for Cisco Small Business Series Switches

Black Arrow Cyber Advisory 22 May 2023 – Nine Security Flaws Patched for Cisco Small Business Series Switches

Executive Summary

Cisco has released updates to address 4 critical and 5 high rated vulnerabilities in the web-based user interface of some of its small business series switches. The identified flaws could be exploited by an unauthenticated, remote attacker to run arbitrary code with the highest level of privilege or cause a denial-of-service (DoS). Switches that are end of life will not be receiving security updates.

What can I do?

Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities, however if the switches are not operating as a Layer 3 switch at the exposed edge of a network, and the web interface is not accessible externally from the internet then they would not be vulnerable to remote attackers, but would however allow for lateral movement to an attacker that already has access to the network. Patches for the critical vulnerabilities should be applied immediately and for the high rated vulnerabilities, as soon as possible, and replacements for supported end of life switches should be considered.  To download the firmware from the Software Centre on Cisco.com, click Browse all and choose Switches > LAN Switches - Small Business.

The following vulnerabilities have been patched in the following firmware versions:

  • 250 Series Smart Switches (Fixed in firmware version 2.5.9.16)

  • 350 Series Managed Switches (Fixed in firmware version 2.5.9.16)

  • 350X Series Stackable Managed Switches (Fixed in firmware version 2.5.9.16)

  • 550X Series Stackable Managed Switches (Fixed in firmware version 2.5.9.16)

  • Business 250 Series Smart Switches (Fixed in firmware version 3.3.0.16)

  • Business 350 Series Managed Switches (Fixed in firmware version 3.3.0.16)

The following switches will not have an update to address these flaws due to being in the end-of-life process, and should be replaced where possible:

  • Small Business 200 Series Smart Switches

  • Small Business 300 Series Managed Switches

  • Small Business 500 Series Stackable Managed Switches

Technical Summary

The four critical vulnerabilities (CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, CVE-2023-20189) relate to on improper validation of requests that are sent to the web-based user interface. An attacker could exploit this vulnerability by sending a crafted request through this interface, allowing them to execute arbitrary code with root privileges, the highest available, on an affected device.

Further information on these flaws is available here:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sg-web-multi-S9g4Nkgv

Need help understanding your gaps, or just want some advice? Get in touch with us.

Read More