In a security advisory published by the company’s Product Security Incident Response Team (PSIRT), hackers could abuse flaws in the web user interface to run arbitrary code with root privileges. The flaws in question are tracked as CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189, all with a 9.8 severity rating.
“An attacker could exploit this vulnerability by sending a crafted request through the web-based user interface,” Cisco stated. “A successful exploit could allow the attacker to execute arbitrary code with root privileges on an affected device.”
Multiple devices affected
The list of vulnerable devices includes the 250 Series smart switches, 350 Series managed switches, and 350X Series and 550X stackable managed switches. To fix the flaws, IT teams are advised to bring their firmware up to version 184.108.40.206. There is no workaround for the flaws, Cisco said, so the only way to truly stay safe is to apply the patch.
Small Business 200 Series smart switches, Small Business 300 Series managed switches, and Small Business 500 Series stackable managed switches are also said to be affected by the flaws, but as these are reaching end-of-life, Cisco won’t be releasing a patch. Businesses using these endpoints are advised to migrate to a newer model.
Businesses with service contracts that include software updates will receive the fixes through the usual update channels, Cisco said. Businesses with valid Cisco or third-party licenses will have their gear patched through maintenance upgrades, it was added.
While the company claims there’s no evidence of these flaws being used in the wild, it did say that a proof-of-concept exists. As such, it’s just a matter of time before hackers start exploiting the vulnerabilities.
The flaws were discovered by an “external researcher”, Cisco concluded.
Via: The Register (opens in new tab)