Networking behemoth Cisco has rolled out an important firmware update for users of its 220 Series smart switches after a researcher discovered three security flaws in the systems, including two deemed critical.
In typical bug-reporting fashion, Switchzilla has published separate advisories for all three vulnerabilities, labeling them by severity. All three flaws are found in the web management interface. Bugs CVE-2019-1912 and CVE-2019-1913 are considered critical.
If exploited correctly, the first could allow an unauthenticated, remote attacker to upload arbitrary files and modify the configuration of an affected device, or to inject a reverse shell. The second vulnerability could let an unauthenticated, remote attacker overflow a buffer, which would then allow execution of arbitrary code with root privileges on the operating system. The third bug, CVE-2019-1914, could allow an authenticated, remote attacker to perform a command injection attack. The severity of this bug is rated “medium,” but a successful exploit could “allow the attacker to execute arbitrary shell commands with the privileges of the root user,” according to the advisory.
Cisco has released a software update that addresses all three vulnerabilities. The company is careful to point out that no workarounds address these bugs, so users are urged to update their firmware versions to 18.104.22.168 as soon as possible. At the time of this writing, there were no reports of these vulnerabilities being exploited in the wild.