PRUEBA AHORA
Vulnerability

Critical Vulnerabilities Fixed in Cisco Small Business Series Switches

3 min. read
22/05/2023
By Laura Libeer
Cisco-Vulnerability-Blog_Image_Base_Featured

⚡ TL;DR | Go Straight to the Cisco Small Business Series Vulnerability Audit Report

Cisco has released security updates for their Small Business Series Switches to address a number of critical buffer overflow vulnerabilities. The issues could allow an unauthenticated remote attacker to cause a denial of service or execute arbitrary code. To help you locate vulnerable switches, a new vulnerability report has been added to your Lansweeper installation. Make sure to install the updates as soon as possible to protect your network.

9 Severe to Critical Vulnerabilities

In total, the new security update addresses 9 vulnerabilities, all with CVSS base scores ranging from 9.8 (critical) to 7.5 (severe). None of the vulnerabilities are dependent on one another. The most important ones are 4 Buffer overflow vulnerabilities (CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189). They are caused by improper validation of requests sent to the targeted switches’ web interfaces. A remote, unauthenticated attacker could exploit these issues in order to execute arbitrary code or to cause denial of service, without the need for user interaction.

So far, there are no reports that any of the issues addressed in the update are being exploited in the wild. However, Cisco also says that it is aware that proof-of-concept exploit code is available.

Update Vulnerable Cisco Small Business Series Switches

In order to protect your network you should update any vulnerable Small Business Series switches as soon as possible. There are no workarounds available for these issues You can find a list of affected devices and the fixed version below. You can find all details regarding the patches in Cisco’s advisory. You can download the updated firmware from the software center.

Affected ProductsCisco Firmware ReleaseFirst Fixed Release
250 Series Smart Switches2.5.9.15 and earlier2.5.9.16
350 Series Managed Switches2.5.9.15 and earlier2.5.9.16
350X Series Stackable Managed Switches2.5.9.15 and earlier2.5.9.16
550X Series Stackable Managed Switches2.5.9.15 and earlier2.5.9.16
Business 250 Series Smart Switches3.3.0.15 and earlier3.3.0.16
Business 350 Series Managed Switches3.3.0.15 and earlier3.3.0.16
Small Business 200 Series Smart Switches
Small Business 300 Series Managed Switches
Small Business 500 Series Stackable Managed Switches

Note that Cisco will not be releasing firmware updates for these vulnerabilities for the Cisco Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, and Small Business 500 Series Stackable Managed Switches. These have already entered their end-of-life process and are no longer eligible for updates.

Discover Vulnerable Cisco Switches

Our technical team has put together a special report to help you find all vulnerable Cisco Small Business Series switches in your network. It will give you a list of all switches that haven’t been updated yet. This way you have an actionable list of devices that are still at risk and you can take action accordingly. You can get to the report via the link below.