Cisco Small Business Series Switches Multiple Buffer Overflow Vulnerabilities
CVE numbers – CVE-2023-20024 – CVE-2023-20156 – CVE-2023-20157 – CVE-2023-20158- CVE-2023-20159 – CVE-2023-20160 – CVE-2023-20161 – CVE-2023-20162- CVE-2023-20189
Multiple vulnerabilities in the web-based user interface of certain Cisco Small Business Series Switches could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code with root privileges on an affected device.
These vulnerabilities are due to improper validation of requests that are sent to the web interface.
Cisco has released free software updates that address the vulnerabilities described.
Vulnerable Products
These vulnerabilities affect the following Cisco Small Business Switches if they are running a vulnerable firmware release:
- 250 Series Smart Switches
- 350 Series Managed Switches
- 350X Series Stackable Managed Switches
- 550X Series Stackable Managed Switches
- Business 250 Series Smart Switches
- Business 350 Series Managed Switches
- Small Business 200 Series Smart Switches
- Small Business 300 Series Managed Switches
- Small Business 500 Series Stackable Managed Switches
Workarounds
Details about the vulnerabilities are as follows:
CVE-2023-20159: Cisco Small Business Series Switches Stack Buffer Overflow Vulnerability
A vulnerability in the web-based user interface of Cisco Small Business Series Switches could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.This vulnerability is due to improper validation of requests that are sent to the web interface. An attacker could exploit this vulnerability by sending a crafted request through the web-based user interface. A successful exploit could allow the attacker to execute arbitrary code with root privileges on an affected device.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.Bug ID(s): CSCwe27425, CSCwe32323
CVE ID: CVE-2023-20159
Security Impact Rating (SIR): Critical
CVSS Base Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2023-20160: Cisco Small Business Series Switches Unauthenticated BSS Buffer Overflow Vulnerability
A vulnerability in the web-based user interface of Cisco Small Business Series Switches could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.This vulnerability is due to improper validation of requests that are sent to the web interface. An attacker could exploit this vulnerability by sending a crafted request through the web-based user interface. A successful exploit could allow the attacker to execute arbitrary code with root privileges on an affected device.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.Bug ID(s): CSCwe27441, CSCwe32326
CVE ID: CVE-2023-20160
Security Impact Rating (SIR): Critical
CVSS Base Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2023-20161: Cisco Small Business Series Switches Unauthenticated Stack Buffer Overflow Vulnerability
A vulnerability in the web-based user interface of Cisco Small Business Series Switches could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.This vulnerability is due to improper validation of requests that are sent to the web interface. An attacker could exploit this vulnerability by sending a crafted request through the web-based user interface. A successful exploit could allow the attacker to execute arbitrary code with root privileges on an affected device.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.Bug ID(s): CSCwe27444, CSCwe32334
CVE ID: CVE-2023-20161
Security Impact Rating (SIR): Critical
CVSS Base Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2023-20189: Cisco Small Business Series Switches Unauthenticated Stack Buffer Overflow Vulnerability
A vulnerability in the web-based user interface of Cisco Small Business Series Switches could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.This vulnerability is due to improper validation of requests that are sent to the web interface. An attacker could exploit this vulnerability by sending a crafted request through the web-based user interface. A successful exploit could allow the attacker to execute arbitrary code with root privileges on an affected device.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.Bug ID(s): CSCwe27424, CSCwe32321
CVE ID: CVE-2023-20189
Security Impact Rating (SIR): Critical
CVSS Base Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2023-20024: Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
A vulnerability in the web-based user interface of Cisco Small Business Series Switches could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.This vulnerability is due to improper validation of requests that are sent to the web interface. An attacker could exploit this vulnerability by sending a crafted request through the web-based user interface. A successful exploit could allow the attacker to cause a DoS condition on an affected device.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.Bug ID(s): CSCwe27386, CSCwe32312
CVE ID: CVE-2023-20024
Security Impact Rating (SIR): High
CVSS Base Score: 8.6
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2023-20156: Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
A vulnerability in the web-based user interface of Cisco Small Business Series Switches could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.This vulnerability is due to improper validation of requests that are sent to the web interface. An attacker could exploit this vulnerability by sending a crafted request through the web-based user interface. A successful exploit could allow the attacker to cause a DoS condition on an affected device.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.Bug ID(s): CSCwe27393, CSCwe32313
CVE ID: CVE-2023-20156
Security Impact Rating (SIR): High
CVSS Base Score: 8.6
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2023-20157: Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
A vulnerability in the web-based user interface of Cisco Small Business Series Switches could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.This vulnerability is due to improper validation of requests that are sent to the web interface. An attacker could exploit this vulnerability by sending a crafted request through the web-based user interface. A successful exploit could allow the attacker to cause a DoS condition on an affected device.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.Bug ID(s): CSCwe27394, CSCwe32315
CVE ID: CVE-2023-20157
Security Impact Rating (SIR): High
CVSS Base Score: 8.6
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2023-20158: Cisco Small Business Series Switches Unauthenticated Denial-of-Service Vulnerability
A vulnerability in the web-based user interface of Cisco Small Business Series Switches could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.This vulnerability is due to improper validation of requests that are sent to the web interface. An attacker could exploit this vulnerability by sending a crafted request through the web-based user interface. A successful exploit could allow the attacker to cause a DoS condition on an affected device.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.Bug ID(s): CSCwe27403, CSCwe32318
CVE ID: CVE-2023-20158
Security Impact Rating (SIR): High
CVSS Base Score: 8.6
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2023-20162: Cisco Small Business Series Switches Unauthenticated Configuration Reading Vulnerability
A vulnerability in the web-based user interface of Cisco Small Business Series Switches could allow an unauthenticated, remote attacker to read unauthorized information on an affected device.This vulnerability is due to improper validation of requests that are sent to the web interface. An attacker could exploit this vulnerability by sending a crafted request through the web-based interface. A successful exploit could allow the attacker to read unauthorized information on an affected device.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.Bug ID(s): CSCwe27445, CSCwe32338
CVE ID: CVE-2023-20162
Security Impact Rating (SIR): High
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
There are no workarounds that address these vulnerabilities.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.