Some of the vulnerabilities could lead to complete compromise of the device as a proof of concept is publicly available. Credit: Prayitno Cisco patched several vulnerabilities this week that affect multiple models of its small business switches and could allow attackers to take full control of the devices remotely. The flaws are all located in the web-based management interface of the devices and can be exploited without authentication. While the company didn’t disclose which specific components of the web interface the flaws are located in, it noted in its advisory that the vulnerabilities are not dependent on one another and can be exploited independently.Because the flaws can be exploited without authentication, we can infer that they’re probably located in functionality that doesn’t require authentication or for which the authentication mechanism can be bypassed. The former seems more likely since none of the flaws are described as an authentication bypass. While Cisco is not yet aware of any malicious exploitation of these flaws, the company noted that proof-of-concept exploit code is already publicly available for these vulnerabilities.Attackers do need to have access to the web management interface, which can be achieved directly in cases where the management interface is exposed to the internet, or indirectly by first gaining a foothold on an internal network where a vulnerable switch is used. Cisco vulnerabilities could allow complete device compromise, denial of service, data leakageFour of the flaws are described as buffer overflows and can be exploited to achieve arbitrary code execution with root (administrative) permissions. This generally results in a complete compromise of the device. These four flaws are tracked as CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189. All are rated 9.8 out of 10 on the CVSS severity scale. Another four flaws are also described as buffer overflow conditions but can only lead to a denial-of-service condition against vulnerable devices when processing maliciously crafted requests. The flaws are tracked as CVE-2023-20156, CVE-2023-20024, CVE-2023-20157, and CVE-2023-20158 and are rated with 8.6 severity.The last flaw is described as a configuration reading error and can result in attackers reading unauthorized information from an affected device without authentication. The flaw, tracked as CVE-2023-20162 is rated with 7.5 severity (High). Upgrade to latest Cisco firmwareThe vulnerabilities impact version 2.5.9.15 and earlier of the Cisco firmware for 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches and 550X Series Stackable Managed Switches, as well as version 3.3.0.15 and earlier of the firmware of Business 250 Series Smart Switches and Business 350 Series Managed Switches. Cisco released patched firmware versions 2.5.9.16 and 3.3.0.16, respectively.The Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches and Small Business 500 Series Stackable Managed Switches are also affected, but will not receive firmware upgrades because they have reached end-of-life.The company notes that not all affected firmware versions are impacted by all the vulnerabilities, which suggests some flaws might be version-specific. Nevertheless, customers should upgrade to the latest firmware version as soon as possible as there are no known workarounds and attackers have taken an interest in Cisco devices before. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe