Cisco Patches Three Vulnerabilities in Small Business 220 Series Smart Switches

On August 6, Cisco published three advisories for vulnerabilities in their Small Business 220 Series line of Smart Switches, including two critical vulnerabilities.

1. CVE-2019-1912: Cisco Security Advisory Cisco Small Business 220 Series Smart Switches Authentication Bypass Vulnerability
2. CVE-2019-1913: Cisco Small Business 220 Series Smart Switches Remote Code Execution Vulnerabilities
3. CVE-2019-1914: Cisco Small Business 220 Series Smart Switches Command Injection Vulnerability

The vulnerabilities exist in the web management interface of the Smart Switches. Of the three vulnerabilities, CVE-2019-1912 and CVE-2019-1913 are the most severe, as they received a 9.1 and 9.8 on the CVSSv3 scoring system respectively. A remote, unauthenticated attacker could exploit these vulnerabilities by sending malicious requests to the web management interface.

Exploitation of CVE-2019-1912 could allow an attacker to upload “arbitrary files” and either modify the configuration on the vulnerable device or “inject a reverse shell.”

Exploitation of CVE-2019-1913 could allow an attacker to gain arbitrary code execution with root privileges “on the underlying operating system” 

CVE-2019-1914 is less severe than the other two vulnerabilities with a CVSSv3 score of 7.2, because exploitation of this vulnerability requires the attacker to be authenticated with a valid login session on the web management interface with level 15 user privileges.

There were no public details about this vulnerability including proof-of-concept (PoC) code at the time this post was published. However, the vulnerability was reported to Cisco by a security researcher through a disclosure program, so additional details, including PoCs could become available in the near future.

Cisco has released firmware update 1.1.4.4 to address these vulnerabilities.

Tenable is investigating these vulnerabilities for product coverage.