Three major vulnerabilities found in Cisco SMB switches

These are the latest in a long line of security blunders from the American networking giant

Cisco

Three of Cisco's most popular switches for SMBs contain serious security flaws that could allow a hacker to remotely access the device and infiltrate an organisation's network.

The critical vulnerabilities, which affect Cisco's Small Business 220 Series of smart switches, include a remote code execution (RCE) bug rated 9.8/10 by Cisco in terms of threat severity, an authentication bypass rated 9.1/10 and a command injection rated 7.2/10 .

The two most severe bugs the authentication bypass and command injection can be exploited by a  hacker over the internet without the need for authentication on the device. "Depending on the configuration of the affected switch, the malicious requests must be sent via HTTP or HTTPS," said Cisco in an advisory notice.

The RCE bug allows attackers to execute malicious code with root privileges on the underlying operating system, meaning they can take over the device via an HTTP or HTTPS request on any internet-facing 220 Series switch.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

A patch has been issued for each of the three vulnerabilities, but the updates aren't delivered automatically so the onus is on the customer to keep their business safe.

These vulnerabilities mark a continuation of an increasingly dire year for Cisco in terms of security. A wealth of issues have plagued its equipment which prompted many questions from customers at this year's Cisco Live US conference.

Most significant of these issues was Thrangrycat, a pair of interoperating vulnerabilities that affected most Cisco enterprise routers, giving attackers the opportunitys to block updates to a core security module, which could potentially lead to an entire network's compromise.

Experts said at the time that Thrangrycat was "virtually unpatchable" and likened the weakness to a bank leaving its vault doors wide open. When asked about what the company was doing to address the problem, experts at Cisco's Talos team seemed to evade the crux of the question.

Most recently, the company settled a lawsuit accusing it of knowingly selling faulty equipment to the US government and military for $8.6 million.

Earlier this year, the company came under fire again for failing to patch two critical vulnerabilities in its SMB routers after being notified months earlier.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020