Three major vulnerabilities found in Cisco SMB switches

These are the latest in a long line of security blunders from the American networking giant

Cisco

Three of Cisco's most popular switches for SMBs contain serious security flaws that could allow a hacker to remotely access the device and infiltrate an organisation's network.

The critical vulnerabilities, which affect Cisco's Small Business 220 Series of smart switches, include a remote code execution (RCE) bug rated 9.8/10 by Cisco in terms of threat severity, an authentication bypass rated 9.1/10 and a command injection rated 7.2/10 .

The two most severe bugs the authentication bypass and command injection can be exploited by a  hacker over the internet without the need for authentication on the device. "Depending on the configuration of the affected switch, the malicious requests must be sent via HTTP or HTTPS," said Cisco in an advisory notice.

The RCE bug allows attackers to execute malicious code with root privileges on the underlying operating system, meaning they can take over the device via an HTTP or HTTPS request on any internet-facing 220 Series switch.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

A patch has been issued for each of the three vulnerabilities, but the updates aren't delivered automatically so the onus is on the customer to keep their business safe.

These vulnerabilities mark a continuation of an increasingly dire year for Cisco in terms of security. A wealth of issues have plagued its equipment which prompted many questions from customers at this year's Cisco Live US conference.

Most significant of these issues was Thrangrycat, a pair of interoperating vulnerabilities that affected most Cisco enterprise routers, giving attackers the opportunitys to block updates to a core security module, which could potentially lead to an entire network's compromise.

Experts said at the time that Thrangrycat was "virtually unpatchable" and likened the weakness to a bank leaving its vault doors wide open. When asked about what the company was doing to address the problem, experts at Cisco's Talos team seemed to evade the crux of the question.

Most recently, the company settled a lawsuit accusing it of knowingly selling faulty equipment to the US government and military for $8.6 million.

Earlier this year, the company came under fire again for failing to patch two critical vulnerabilities in its SMB routers after being notified months earlier.

Featured Resources

Digital Risk Report 2020

A global view into the impact of digital transformation on risk and security management

Download now

6 ways your business could suffer if you don’t backup Office 365

Office 365 makes it easy to lose valuable data regularly, unpredictably, unintentionally, and for good

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now

8 digital best practices for IT professionals

Don't leave anything to chance when going digital

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020
Visit/security/34616/the-top-ten-password-cracking-techniques-used-by-hackers
Security

The top ten password-cracking techniques used by hackers

10 Feb 2020
Visit/software/linux/354831/microsoft-to-add-defender-antivirus-software-to-linux-ios-and-android
Linux

Microsoft to add Defender antivirus software to Linux, iOS and Android

21 Feb 2020