Cisco warns to patch small business 220 series switches after exploit code published

Original advisory warned admins to patch in early August
  • Liam Tung (CSO Online)
  • 23 August, 2019 05:28

Cisco has warned customers using its Small Business 220 series smart switches to apply updates to address two serious security flaws after exploit code was released.

Both flaws affect the web interface admins use to manage the switches and were flagged by Cisco on August 6. 

The company has updated its advisories to warn customers using its Small Business 220 series smart switches that exploit code has now been published. 

One of them, identified as CVE-2019-1912, allows an attacker to bypass regular authentication without a valid password because Cisco’s software didn’t check authorization properly, which can be exploited by sending malicious requests to parts of the interface.    

“A successful exploit could allow the attacker to modify the configuration of an affected device or to inject a reverse shell,” Cisco warned. 

A reverse shell allows an attacker to communicate with the affected machine and bypass a firewall protections. 

Exploit code is also available for more serious vulnerabilities under CVE-2019-1913, also in the web management interface Cisco’s small business 220 series smart switches. This set of bugs allow a remote attacker to execute code with root privileges on the device’s operating system. 

The vulnerabilities allow a buffer overflow and can be exploited by an attacker sending malicious requests to the web interface of the device. 

Both issues affect Cisco Small Business 220 series smart switches running firmware versions prior to    

While there is publicly available exploit code for both issues Cisco notes that it has not seen the flaws being used in attacks in the wild. The flaws were reported by security researcher “bashis" through the VDOO disclosure program

Cisco has also warned customers to update four more newly disclosed critical flaws that affect its enterprise and data center products. 

This includes CVE-2019-1937, a flaw in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data. CVE-2019-1937, CVE-2019-1974 and CVE-2019-1935 affect the same products.