Patch

Update now: 9 vulnerabilities impact Cisco Small Business Series

Vulnerabilities have been found and fixed in the web-based user interface of various Cisco products in the Small Business Series. These nine issues are tied to the web-based user interface of the products, and in a worst case scenario could lead to denial of service (DoS) conditions or arbitrary code execution.

Affected products

The vulnerabilities affect all of the below if running vulnerable firmware:

  • 250 Series Smart Switches
  • 350 Series Managed Switches
  • 350X Series Stackable Managed Switches
  • 550X Series Stackable Managed Switches
  • Business 250 Series Smart Switches
  • Business 350 Series Managed Switches
  • Small Business 200 Series Smart Switches
  • Small Business 300 Series Managed Switches
  • Small Business 500 Series Stackable Managed Switches

Exploits

  • CVE-2023-20159: Cisco Small Business Series Stack Buffer Overflow
  • CVE-2023-20160: Cisco Small Business Series Switches Unauthenticated BSS Buffer Overflow Vulnerability 
  • CVE-2023-20161: Cisco Small Business Series Switches Unauthenticated Stack Overflow Vulnerability
  • CVE-2023-20189: Cisco Small Business Series Switches Unauthenticated Stack Buffer Overflow Vulnerability

The four vulnerabilities above could allow an unauthenticated remote attacker to execute arbitrary code on an affected device. This is because of improper validation of requests sent to the web interface. A crafted request sent through the web interface could result in the attacker executing arbitrary code with root privileges on an affected device.

  • CVE-2023-20024: Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
  • CVE-2023-20156: Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
  • CVE-2023-20157: Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
  • CVE-2023-20158: Cisco Small Business Series Switches Unauthenticated Denial-of-Service Vulnerability

The four vulnerabilities above could allow for a denial of service (DoS) condition on an affected device. As above, this is due to crafted requests being improperly validated when sent to the web interface.

  • CVE-2023-20162: Cisco Small Business Series Switches Unauthenticated Configuration Reading Vulnerability

This final vulnerability could allow a remote attacker to read unauthorised information on an affected device. This is, as with the other flaws, improper validation of requests sent to the web interface.

Mitigation

Two products confirmed as being not vulnerable to the issue are:

  • 220 Series Smart Switches
  • Business 220 Series Smart Switches

However, for those web-based user interfaces that are affected, Cisco has released software updates to fix the vulnerabilities. Cisco states that product users “should obtain security fixes through their usual update channels”.

There are no workarounds to address these vulnerabilities. In other words, if you’re unable to apply an update for the time being, your devices will remain vulnerable until they’re applied.


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.