Three major vulnerabilities found in Cisco SMB switches

These are the latest in a long line of security blunders from the American networking giant

Cisco

Three of Cisco's most popular switches for SMBs contain serious security flaws that could allow a hacker to remotely access the device and infiltrate an organisation's network.

The critical vulnerabilities, which affect Cisco's Small Business 220 Series of smart switches, include a remote code execution (RCE) bug rated 9.8/10 by Cisco in terms of threat severity, an authentication bypass rated 9.1/10 and a command injection rated 7.2/10 .

The two most severe bugs the authentication bypass and command injection can be exploited by a  hacker over the internet without the need for authentication on the device. "Depending on the configuration of the affected switch, the malicious requests must be sent via HTTP or HTTPS," said Cisco in an advisory notice.

The RCE bug allows attackers to execute malicious code with root privileges on the underlying operating system, meaning they can take over the device via an HTTP or HTTPS request on any internet-facing 220 Series switch.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

A patch has been issued for each of the three vulnerabilities, but the updates aren't delivered automatically so the onus is on the customer to keep their business safe.

These vulnerabilities mark a continuation of an increasingly dire year for Cisco in terms of security. A wealth of issues have plagued its equipment which prompted many questions from customers at this year's Cisco Live US conference.

Most significant of these issues was Thrangrycat, a pair of interoperating vulnerabilities that affected most Cisco enterprise routers, giving attackers the opportunitys to block updates to a core security module, which could potentially lead to an entire network's compromise.

Experts said at the time that Thrangrycat was "virtually unpatchable" and likened the weakness to a bank leaving its vault doors wide open. When asked about what the company was doing to address the problem, experts at Cisco's Talos team seemed to evade the crux of the question.

Most recently, the company settled a lawsuit accusing it of knowingly selling faulty equipment to the US government and military for $8.6 million.

Earlier this year, the company came under fire again for failing to patch two critical vulnerabilities in its SMB routers after being notified months earlier.

Featured Resources

Transform the operator experience with enhanced automation & analytics

Bring networking into the digital era

Download now

Artificially intelligent data centres

How the C-Suite is embracing continuous change to drive value

Download now

Deliver secure automated multicloud for containers with Red Hat and Juniper

Learn how to get started with the multicloud enabler from Red Hat and Juniper

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/security/vulnerability/354309/patch-issued-for-critical-windows-bug
vulnerability

Patch issued for critical Windows bug

11 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019
Visit/data-insights/big-data/354311/google-reveals-uks-most-searched-for-terms-in-2019
big data

Google reveals UK’s most searched for terms in 2019

11 Dec 2019