Cisco published a security advisory that fixes multiple vulnerabilities with Cisco Small Business Switches.
The vulnerabilities allow an unauthenticated remote attacker to access sensitive information with the devices and cause DoS conditions.
CVE-2019-15993 – Information Disclosure Vulnerability
The vulnerability is due to a lack of security validation with authentication controls for accessing the web UI.
An attacker could exploit the vulnerability to send a malicious HTTP request to the malicious web UI, by exploiting the vulnerability attacker can access device information such as configuration files.
Vulnerable Products
This vulnerability affects the following Cisco products if they are running a firmware release earlier than 2.5.0.92:
- 250 Series Smart Switches
- 350 Series Managed Switches
- 350X Series Stackable Managed Switches
- 550X Series Stackable Managed Switches
This vulnerability affects the following Cisco products if they are running a firmware release earlier than 1.4.11.4:
- 200 Series Smart Switches
- 300 Series Managed Switches
- 500 Series Stackable Managed Switches
Now Cisco fixed released security updates to fix the vulnerability and they confirmed there is the malicious use of the vulnerability.
CVE-2020-3147 – DoS
The vulnerability allows an unauthenticated remote attacker to cause DoS condition on the affected device. the vulnerability is due to a lack of validation requests on the web UI.
It can be exploited by sending a malicious request, successful exploitation results in unexpected reload of the device that causes DoS condition, reads advisory.
Vulnerable Products
This vulnerability affects the following Cisco products if they are running a firmware release earlier than 1.3.7.18:
- 200 Series Smart Switches
- 300 Series Managed Switches
- 500 Series Stackable Managed Switches
- Products Confirmed Not Vulnerable
- Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
- 250 Series Smart Switches
- 350 Series Managed Switches
- 350X Series Stackable Managed Switches
- 550X Series Stackable Managed Switches
Cisco released updates to fix the vulnerability and they confirmed and they confirmed there is no malicious use of the vulnerability.
Cisco recently fixed a bug with Cisco Webex that allows an Unauthenticated Remote Attackers to Join Private Meetings Without Password