www.belgium.be Logo of the federal government

Warning: Multiple critical vulnerabilities in Cisco Small Business Switches that could lead to RCE, Patch Immediately!

Reference: 
Advisory #2023-58
Version: 
1.0
Affected software: 
Cisco Firmware 2.5.9.15: 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches, and 550X Series Stackable Managed Switches
Cisco firmware 3.3.0.15 and earlier small business switches: Business 250 Series Smart Switches and Business 350 Series Managed Switches
Type: 
Remote Code Execution (RCE)
CVE/CVSS: 
  • CVE-2023-20159
  • CVE-2023-20160
  • CVE-2023-20161
  • CVE-2023-20189
  • CVE-2023-20024
  • CVE-2023-20156
  • CVE-2023-20157
  • CVE-2023-20158
  • CVE-2023-20162
Date: 
23/05/2023

Sources

Cisco - Cisco Small Business Series Switches Buffer Overflow Vulnerabilities

Risks

Multiple vulnerabilities in the web-based user interface of certain Cisco Small Business Series Switches could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code with root privileges on an affected device. These vulnerabilities are due to improper validation of requests that are sent to the web interface.

From the 9 vulnerabilities patched, 4 are rated as critical and 5 as high.

Description

CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, CVE-2023-20189

These vulnerabilities are all unauthenticated stack buffer overflow vulnerabilities and could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.

These vulnerabilities are due to improper validation of requests that are sent to the web interface.

An attacker could exploit this vulnerability by sending a crafted request through the web-based user interface. A successful exploit could allow the attacker to execute arbitrary code with root privileges on an affected device.

CVE-2023-20024, CVE-2023-20156, CVE-2023-20157

These vulnerabilities are all unauthenticated heap buffer overflow vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

These vulnerabilities are due to improper validation of requests that are sent to the web interface.

An attacker could exploit this vulnerability by sending a crafted request through the web-based user interface. A successful exploit could allow the attacker to cause a DoS condition on an affected device.

CVE-2023-20158

This vulnerability could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

This vulnerability is due to improper validation of requests that are sent to the web interface. An attacker could exploit this vulnerability by sending a crafted request through the web-based user interface. A successful exploit could allow the attacker to cause a DoS condition on an affected device.

CVE-2023-20162

This vulnerability could allow an unauthenticated, remote attacker to read unauthorized information on an affected device.

This vulnerability is due to improper validation of requests that are sent to the web interface. An attacker could exploit this vulnerability by sending a crafted request through the web-based interface. A successful exploit could allow the attacker to read unauthorized information on an affected device.

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends system administrators to take the following actions:

- Install the patches released by Cisco: Cisco Small Business Series Switches Buffer Overflow Vulnerabilities.

- There are no workarounds available.

- Important notice: The Cisco Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, and Small Business 500 Series Stackable Managed Switches have entered the end-of-life process and will not receive updates anymore.

References

ESecurityPlanet - Cisco Warns of Multiple Flaws in Small Business Series Switches | eSecurityPlanet