Critical Vulnerabilities in Cisco Small Business Series Switches

Cisco has released security updates to address multiple critical vulnerabilities (CVE-2023-20159, CVE-2023-20160, CVE-2023-20161 and CVE-2023-20189) in their Small Business Series Switches. The vulnerabilities have a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10.

The vulnerabilities are:

• CVE-2023-20159: A stack buffer overflow vulnerability that may allow an unauthenticated, remote attacker to execute arbitrary code with root privileges on an affected device.

• CVE-2023-20160: A BSS buffer overflow vulnerability that may allow an unauthenticated, remote attacker to execute arbitrary code with root privileges on an affected device.

• CVE-2023-20161 and CVE-2023-20189: An unauthenticated stack buffer overflow vulnerability that may allow an unauthenticated, remote attacker to execute arbitrary code with root privileges on an affected device.

The vulnerabilities affect the following product versions:

• 250 Series Smart Switches

• 350 Series Managed Switches

• 350X and 550X Series Stackable Managed Switches

• Business 250 Series Smart Switches

• Business 350 Series Managed Switches

Users and administrators of affected product versions are advised to update to the latest versions immediately.

More information is available here:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sg-web-multi-S9g4Nkgv/

https://www.bleepingcomputer.com/news/security/cisco-warns-of-critical-switch-bugs-with-public-exploit-code/

https://www.cybersecurity-help.cz/vdb/SB2023051781/

https://vulnera.com/newswire/cisco-issues-warning-for-critical-switch-vulnerabilities-with-public-exploit-code/