Cisco has warned customers about a set of four critical remote code execution vulnerabilities that can let attackers execute arbitrary code with root privileges on compromised devices. The issue is caused by improper validation of requests sent to the targeted switches’ web interfaces and affects multiple Small Business Series switches. Affected devices include:
- 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches and 550X Series Stackable Managed Switches (fixed in firmware version 188.8.131.52)
- Business 250 Series Smart Switches and Business 350 Series Managed Switches (fixed in firmware version 184.108.40.206)
- Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, Small Business 500 Series Stackable Managed Switches (no patch available at the time of writing)
The 200, 300 and 500 series Small Business Switches are also affected by the vulnerabilities but won’t receive a firmware update as these devices have already entered their end-of-life process as per Cisco’s announcement.
As for the vulnerabilities themselves, they’re tracked as CVE-2023-20159, CVE-2023-20160, CVE-2023-20161 and CVE-2023-20189. All of these vulnerabilities have a CVSS score of 9.8/10 and a critical rating. Additionally, they’re not dependent on one another, meaning you can exploit one without exploiting another.
The vulnerabilities are part of a larger vulnerability set. Five other vulnerabilities tracked as CVE-2023-20024 (CVSS score 8.6), CVE-2023-20156 (CVSS score 8.6), CVE-2023-20157 (CVSS score 8.6), CVE-2023-20158 (CVSS score 8.6) and CVE-2023-20162 (CVSS score 7.5) were also announced.
They can be exploited by sending a specially crafted request through the web-based user interface. Additionally, they can also be abused to trigger a DoS condition or read unauthorised information on affected systems via a malicious request.
The Cisco Product Security Incident Response Team (PSIRT) also revealed that proof-of-concept exploit is already available in the wild, meaning affected devices exposed to the internet are at risk. However, PSIRT has yet to find evidence that suggests active exploitation of these vulnerabilities.