Multiple Vulnerabilities in Cisco Small Business 220 Series Smart Switches

On August 6th, Cisco released three bug fix notifications about Small Business 220 Series Smart Switches, including two high-risk vulnerabilities, with a maximum CVSS 3.0 score of 9.8.

Vulnerability overview

  • CVE-2019-1914: Command Injection Vulnerability
    CVSS 3.0 rating: 7.2
    A vulnerability exists in the web management interface of the Cisco Small Business 220 Series Smart Switches, which can be exploited by authenticated remote attackers to perform command injection attacks.
  • CVE-2019-1912: Authentication bypass vulnerability
    CVSS 3.0 rating: 9.1
    A vulnerability exists in the web management interface of the Cisco Small Business 220 Series Smart Switches that could allow an attacker to upload arbitrary files without authentication.
  • CVE-2019-1913: Remote Code Execution Vulnerability
    CVSS 3.0 rating: 9.8
    Multiple vulnerabilities exist in the web management interface of the Cisco Small Business 220 Series Smart Switches. An unauthenticated attacker can execute arbitrary code with root privileges in the underlying operating system by triggering a buffer overflow.

Affected version

  • Cisco Small Business 220 Series Smart Switches Firmware Version < 1.1.4.4

Unaffected version

  • Cisco Small Business 220 Series Smart Switches Firmware Version >= 1.1.4.4

solution

Cisco has released the latest firmware version to fix these vulnerabilities, and affected users should upgrade Cisco Small Business 220 Series Smart Switches Firmware as soon as possible.