Cisco switch firmware patched against critical bugs

By

End-of-life products won't get fixes.

Cisco has gone public with 10 vulnerabilities in various small business switch models, four of which are rated critical, saying that it’s aware of proof-of-concept exploit code for the bugs.

Cisco switch firmware patched against critical bugs

The vulnerabilities let an unauthenticated, remote attacker “execute arbitrary code with root privileges on an affected device”, or cause a denial-of-service. 

“These vulnerabilities are due to improper validation of requests that are sent to the web interface," Cisco’s advisory stated.

The bugs are in the switches’ firmware release 2.5.9.15 and earlier (in the 250 series smart switches, 350 series managed switches, 350X series stackable managed switches, and 550X series stackable managed switches); and release 3.3.0.15 and earlier (in the Business 250 series smart switches and Business 350 series managed switches).

Fixed firmware is available for these devices, however the Small Business 200, 300 and 500 series switches have entered the end-of-life process and won’t be fixed.

All but two of the 10 vulnerabilities are some kind of buffer overflow.

The critical vulnerabilities are CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189 (with CVSS scores of 9.8).

CVE-2023-20158 is the denial-of-service vulnerability, is triggered by sending a crafted request to the web management interface, and is rated high (CVSS score 8.6).

In addition, CVE-2023-20162, rated high (CVSS score 7.5) allows an unauthenticated remote attacker to read configuration data.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Eagers Automotive finds unauthorised access to parts of IT systems

Eagers Automotive finds unauthorised access to parts of IT systems

Hackers hit Victoria's court recording database

Hackers hit Victoria's court recording database

St Vincent's Health Australia warns cyber attack forensics could "take some time"

St Vincent's Health Australia warns cyber attack forensics could "take some time"

Yakult Australia confirms cyber incident

Yakult Australia confirms cyber incident

Log In

  |  Forgot your password?