Cisco today notified customers of four critical remote code execution vulnerabilities with public exploit code affecting multiple Small Business Series switches.
All four security vulnerabilities received near maximum severity ratings with CVSS baseline scores of 9.8/10. Successful exploitation allows unauthenticated attackers to execute arbitrary code with root privileges on compromised devices.
The vulnerabilities, identified as CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189, are caused by improper validation of requests sent to web interfaces of targeted switches.
Attackers can exploit them via maliciously crafted requests sent through web UIs of targeted devices in low complexity attacks that do not require user interaction.
“The vulnerabilities are not dependent on each other. Exploiting one of the vulnerabilities is not necessary to exploit another vulnerability”, Cisco explained.
“Furthermore, a software version affected by one of the vulnerabilities may not be affected by the other vulnerabilities.”
The list of affected Cisco switches includes:
- 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches, and 550X Series Stackable Managed Switches (Fixed in firmware version 184.108.40.206)
- Business 250 Series Smart Switches and Business 350 Series Managed Switches (fixed in firmware version 220.127.116.11)
- Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, Small Business 500 Series Stackable Managed Switches (no patch available)
The Cisco Product Security Incident Response Team (PSIRT) also revealed that proof-of-concept exploit code is available for these security vulnerabilities, which could lead to active exploitation if motivated malicious actors create their own.
The company warned on Wednesday that its Product Security Incident Response Team (PSIRT) is “aware that proof-of-concept exploit code is available” for these security vulnerabilities, which could allow security actors threatens to target vulnerable devices exposed to remote access.
Fortunately, however, Cisco’s PSIRT has yet to find any evidence suggesting attempts to exploit vulnerabilities in the attacks.
Cisco is also working on fixes a cross-site scripting (XSS) vulnerability in its Prime Collaboration Deployment (PCD) server management tool, reported by Pierre Vivegnis of NATO’s Cyber Security Center (NCSC).
A joint advisory issued by the US, UK and Cisco recently notified that Russian military hackers APT28 deployed custom malware “Jaguar Tooth” on Cisco IOS routers to gain unauthenticated access to compromised devices.