Cisco this week released patches to address several vulnerabilities in its Small Business 220 Series Smart Switches, including two bugs rated Critical severity.
The most important of these issues could allow an unauthenticated, remote attacker to execute arbitrary code with root privileges on the underlying operating system.
Tracked as CVE-2019-1913 and featuring a CVSS score of 9.8, the flaw consists of multiple vulnerabilities in the web management interface of the smart switches.
“The vulnerabilities are due to insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer. An attacker could exploit these vulnerabilities by sending malicious requests to the web management interface of an affected device,” Cisco explains.
The requests must be sent via HTTP or HTTPS, depending on the configuration of the vulnerable switch.
Tracked as CVE-2019-1912 and featuring a CVSS score of 9.1, the second Critical vulnerability in the Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload arbitrary files.
The issue is due to incomplete authorization checks in the web management interface. An attacker looking to exploit the bug needs to send a malicious request to certain parts of the interface. The attacker could then modify the configuration of the affected device or inject a reverse shell.
Cisco also addressed a Medium risk vulnerability in the Small Business 220 Series Smart Switches. Tracked as CVE-2019-1914 and featuring a CVSS score of 7.2, the security flaw could allow an authenticated, remote attacker to perform a command injection.
The issue is caused by the improper validation of user-supplied input. An attacker with a valid login session as a privil ..
Support the originator by clicking the read the rest link below.
