Of the three flaws in the Cisco 220 Series Smart Switches Small Business Series, two are critical remote code execution (CVE-2019-1913) and safety bypass authentication (CVE-2019-1912). A remote attacker who is not authenticated might use it to execute arbitrary root code and upload arbitrary files, respectively. The third vulnerability is the CVE-2019-1914 command injection vulnerability which could potentially enable authenticated remote attackers to start a command injection attack. As explained by updated Cisco security advisories: All three were reported through the VDOO Disclosure Program of the Company by the same security investigator, known as the’ bashis.’
The company also patched over 30 critical, high-gravity faults found in its Integrated Management Controller (IMC) and Cisco Unified Computing System (UCS) software. Of these, 15 have high safety flaws, while four have been considered critical with baseline values of CVSS v3.0 of 9.8. Three of the latter are bypass authentication defects, while the last is a default vulnerability to credentials. These are the details of Cisco’s security advisories for four critical flaws: These critical security issues enable unauthenticated remote attackers to launch low-complexity attacks after successfully exploiting devices using specially crafted malicious requests as well as using default log-in credentials. Cisco repaired critical flaws Four critical flaws have been patched and customers are recommended to mitigate possible attacks by installing the following software releases: Fortunately, Cisco’s PSIRT says it has not yet been aware of the malicious use of exploit code or public advertisements to address those critical vulnerabilities patched on Wednesday.
