Cisco has updated security advisories for three
According to the Cisco Product Security Incident Response Team (PSIRT), public exploit code for these flaws is available online.
One of the vulnerabilities is critical remote code execution tracked as CVE-2019-1913, an attacker could exploit this flaw to execute arbitrary code with root privileges on the underlying operating system.
“Multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an
“The vulnerabilities are due to insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer. An attacker could exploit these vulnerabilities by sending malicious requests to the web management interface of an affected device. Depending on the configuration of the affected switch, the malicious requests must be sent via HTTP or HTTPS.
Another flaw is an authentication bypass security flaw tracked as CVE-2019-1912 that resides in the web management interface of Cisco Small Business 220 Series Smart Switches. The flaw could be exploited by an attacker to modify the configuration of an affected device or to inject a reverse shell.
“A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an
“The vulnerability is due to incomplete authorization checks in the web management interface. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface. Depending on the configuration of the affected switch, the malicious request must be sent via HTTP or HTTPS. A successful exploit could allow the attacker to modify the configuration of an affected device or to inject a reverse shell.”
The third flaw is a command injection vulnerability tracked as CVE-2019-1914 that could be exploited by an authenticated, remote attackers launch a command injection attack.
The good news is that Cisco is not aware of attacks exploiting the above issues.
“The Cisco Product Security Incident Response Team (PSIRT) is aware of the existence of public exploit code. Cisco PSIRT is not aware of malicious use of the vulnerability that is described in this advisory.” states Cisco.
Cisco also released security patches to address 17 critical and high-severity vulnerabilities affecting some Cisco Unified Computing products (UCS) and Integrated Management Controller (IMC)
Also for these flaws, Cisco confirmed it is not aware of attacks in the wild that have exploited them.
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – Cisco Small Business, hacking)