Three major vulnerabilities found in Cisco SMB switches

These are the latest in a long line of security blunders from the American networking giant

Cisco

Three of Cisco's most popular switches for SMBs contain serious security flaws that could allow a hacker to remotely access the device and infiltrate an organisation's network.

The critical vulnerabilities, which affect Cisco's Small Business 220 Series of smart switches, include a remote code execution (RCE) bug rated 9.8/10 by Cisco in terms of threat severity, an authentication bypass rated 9.1/10 and a command injection rated 7.2/10 .

The two most severe bugs the authentication bypass and command injection can be exploited by a  hacker over the internet without the need for authentication on the device. "Depending on the configuration of the affected switch, the malicious requests must be sent via HTTP or HTTPS," said Cisco in an advisory notice.

The RCE bug allows attackers to execute malicious code with root privileges on the underlying operating system, meaning they can take over the device via an HTTP or HTTPS request on any internet-facing 220 Series switch.

A patch has been issued for each of the three vulnerabilities, but the updates aren't delivered automatically so the onus is on the customer to keep their business safe.

These vulnerabilities mark a continuation of an increasingly dire year for Cisco in terms of security. A wealth of issues have plagued its equipment which prompted many questions from customers at this year's Cisco Live US conference.

Most significant of these issues was Thrangrycat, a pair of interoperating vulnerabilities that affected most Cisco enterprise routers, giving attackers the opportunitys to block updates to a core security module, which could potentially lead to an entire network's compromise.

Experts said at the time that Thrangrycat was "virtually unpatchable" and likened the weakness to a bank leaving its vault doors wide open. When asked about what the company was doing to address the problem, experts at Cisco's Talos team seemed to evade the crux of the question.

Most recently, the company settled a lawsuit accusing it of knowingly selling faulty equipment to the US government and military for $8.6 million.

Earlier this year, the company came under fire again for failing to patch two critical vulnerabilities in its SMB routers after being notified months earlier.

Featured Resources

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

Download now

The role of modern storage in a multi-cloud future

Research exploring the impact of modern storage in defining cloud success

Download now

Enterprise data protection: A four-step plan

An interactive buyers’ guide and checklist

Download now

The total economic impact of Adobe Sign

Cost savings and business benefits enabled by Adobe Sign

Download now

Recommended

8 of the most secure web browsers
web browser

8 of the most secure web browsers

25 Sep 2020
Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
How to enable private browsing on any device
privacy

How to enable private browsing on any device

22 Sep 2020
Third-party apps are tracking your WhatsApp activity
social media

Third-party apps are tracking your WhatsApp activity

21 Sep 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
The Xbox Series X shows how far the cloud still has to go
Cloud

The Xbox Series X shows how far the cloud still has to go

25 Sep 2020