Critical Vulnerabilities in Cisco Small Business Series Switches

Published on 18 May 2023

Cisco has released security updates to address multiple critical vulnerabilities (CVE-2023-20159, CVE-2023-20160, CVE-2023-20161 and CVE-2023-20189) in their Small Business Series Switches. The vulnerabilities have a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10.

The vulnerabilities are:

CVE-2023-20159: A stack buffer overflow vulnerability that may allow an unauthenticated, remote attacker to execute arbitrary code with root privileges on an affected device.
CVE-2023-20160: A BSS buffer overflow vulnerability that may allow an unauthenticated, remote attacker to execute arbitrary code with root privileges on an affected device.
CVE-2023-20161 and CVE-2023-20189: An unauthenticated stack buffer overflow vulnerability that may allow an unauthenticated, remote attacker to execute arbitrary code with root privileges on an affected device.

The vulnerabilities affect the following product versions:

250 Series Smart Switches
350 Series Managed Switches
350X and 550X Series Stackable Managed Switches
Business 250 Series Smart Switches
Business 350 Series Managed Switches

Users and administrators of affected product versions are advised to update to the latest versions immediately.

More information is available here:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sg-web-multi-S9g4Nkgv/

https://www.bleepingcomputer.com/news/security/cisco-warns-of-critical-switch-bugs-with-public-exploit-code/

https://www.cybersecurity-help.cz/vdb/SB2023051781/

https://vulnera.com/newswire/cisco-issues-warning-for-critical-switch-vulnerabilities-with-public-exploit-code/