Cisco Systems issued a series of security updates on Aug. 6 and 7, in the process disclosing 26 vulnerabilities, including two critical ones found in its Small Business 220 Series Smart Switches.
The two most serious bugs consist of a remote code execution flaw (CVE-2019-1913) and an authentication bypass vulnerability (CVE-2019-1912) in the aforementioned switches, which are affected if they are running firmware versions prior to 220.127.116.11 with the web management interface enabled. Cisco patched both problems with an Aug. 6 software released.
According to a Cisco advisory, the authentication bypass is caused by incomplete authorization checks in the web management interface, which allow attackers to modify a device's configuration or inject a reverse shell via a malicious request. The RCE flaw, meanwhile, is actually a series of vulnerabilities in the web management interface that are caused by "insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer," a second Cisco advisory states. Unauthenticated remote attackers can exploit this bug via malicious requests that trigger a buffer overflow, thus enabling the execution of arbitrary code.
Cisco also disclosed five high-level vulnerabilities in the Webex Network Recording Player and Webex Player, Enterprise NFC Infrastructure Software, IOS XR Software (2), and Adaptive Security Appliance Software. And it announced 19 medium-level vulnerabilities in its Webex Meetings Server Software, SPA112 2-Port Phone Adapter, SD-WAN Solution, Enterprise NFV Infrastructure Software, HyperFlex Software, Firepower Threat Defense Software, IoT Field Network Director, Firepower Management Center, Email Security Appliance, Adaptive Security Appliance, Identity Services Engine and Small Business 220 Series Smart Switches.
On Aug. 13, Cisco issued another security advisory warning of a medium-level flaw, described as a key negotiation of Bluetooth vulnerability, affects numerous Webex and IP Phones products.