Cisco Systems released security patches on Wednesday for high-severity vulnerabilities affecting over a half dozen of its small business switches. The flaws allow remote unauthenticated adversaries to access sensitive information and level denial-of-service (DoS) attacks against affected gear.
Impacted are Series Smart Switches, Series Managed Switches and Series Stackable Managed Switches. Cisco said it was unaware of active exploitation of the vulnerabilities and software updates remediating the flaws are available, however no workaround fixes are available.
The vulnerabilities include an information disclosure flaw (CVE-2019-15993) and a bug (CVE-2020-3147) that creates conditions optimum for a DoS attack.
Cisco says that the latter vulnerability is tied the web user interface used by affected switches that could allow an unauthenticated remote attacker to “cause an unexpected reload of the device, resulting in a DoS condition.”
The vulnerability is due to improper validation of requests sent to the web interface. “An attacker could exploit this vulnerability by sending a malicious request to the web interface of an affected device,” Cisco wrote.
A weakness in Cisco’s web user interface for its small business switches is also to blame for the information disclosure bug.
“The vulnerability exists because the software lacks proper authentication controls to information accessible from the web UI. An attacker could exploit this vulnerability by sending a malicious HTTP request to the web UI of an affected device,” Cisco wrote.
A successful attack could allow an adversary to access sensitive configuration files, according to the company.
Vulnerable to the information disclosure bug are: 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches and 550X Series Stackable Managed Switches running firmware release earlier than 2.5.0.92. Also impacted are switch models 200 Series Smart Switches, 300 Series Managed Switches and 500 Series Stackable Managed Switches running a firmware release earlier than 1.4.11.4.
Cisco said the DoS bug impacts the same products with the exception of switches; 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches and 550X Series Stackable Managed Switches.
Researcher Ken Pyle of DFDR Consulting is credited by Cisco for reporting both vulnerabilities.