Network Security, Patch/Configuration Management, Vulnerability Management

Cisco issues multiple product updates, fixes critical flaws in small business switches


Cisco Systems issued a series of security updates on Aug. 6 and 7, in the process disclosing 26 vulnerabilities, including two critical ones found in its Small Business 220 Series Smart Switches.

The two most serious bugs consist of a remote code execution flaw (CVE-2019-1913) and an authentication bypass vulnerability (CVE-2019-1912) in the aforementioned switches, which are affected if they are running firmware versions prior to with the web management interface enabled. Cisco patched both problems with an Aug. 6 software released.

According to a Cisco advisory, the authentication bypass is caused by incomplete authorization checks in the web management interface, which allow attackers to modify a device's configuration or inject a reverse shell via a malicious request. The RCE flaw, meanwhile, is actually a series of vulnerabilities in the web management interface that are caused by "insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer," a second Cisco advisory states. Unauthenticated remote attackers can exploit this bug via malicious requests that trigger a buffer overflow, thus enabling the execution of arbitrary code.

Cisco also disclosed five high-level vulnerabilities in the Webex Network Recording Player and Webex Player, Enterprise NFC Infrastructure Software, IOS XR Software (2), and Adaptive Security Appliance Software. And it announced 19 medium-level vulnerabilities in its Webex Meetings Server Software, SPA112 2-Port Phone Adapter, SD-WAN Solution, Enterprise NFV Infrastructure Software, HyperFlex Software, Firepower Threat Defense Software, IoT Field Network Director, Firepower Management Center, Email Security Appliance, Adaptive Security Appliance, Identity Services Engine and Small Business 220 Series Smart Switches.

On Aug. 13, Cisco issued another security advisory warning of a medium-level flaw, described as a key negotiation of Bluetooth vulnerability, affects numerous Webex and IP Phones products.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.