Cisco Small Business 220 Series Smart Switches Remote Code Execution Vulnerabilities

2019-08-0614:00:00

tools.cisco.com

EPSS

0.008

Percentile

81.5%

JSON

Multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to overflow a buffer, which then allows the execution of arbitrary code with root privileges on the underlying operating system.

The vulnerabilities are due to insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer. An attacker could exploit these vulnerabilities by sending malicious requests to the web management interface of an affected device. Depending on the configuration of the affected switch, the malicious requests must be sent via HTTP or HTTPS.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190806-sb220-rce [“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190806-sb220-rce”]

Affected configurations

Vulners

Node

ciscosmall_business_220_series_smart_plus_switchesMatchany

ciscosmall_business_srp541wMatch220_series_smart_plus_switches

VendorProductVersionCPE
ciscosmall_business_220_series_smart_plus_switchesanycpe:2.3:a:cisco:small_business_220_series_smart_plus_switches:any:*:*:*:*:*:*:*
ciscosmall_business_srp541w220_series_smart_plus_switchescpe:2.3:h:cisco:small_business_srp541w:220_series_smart_plus_switches:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	small_business_220_series_smart_plus_switches	any	cpe:2.3:a:cisco:small_business_220_series_smart_plus_switches:any:::::::*
cisco	small_business_srp541w	220_series_smart_plus_switches	cpe:2.3:h:cisco:small_business_srp541w:220_series_smart_plus_switches:::::::*