Advisory Overview
Cisco Systems is warning its customers about a Remote Code Execution (RCE) vulnerability in its line of small business switches. Please be aware that end of life (EOL) products will not be patched (see table below). SKOUT advises patching affected devices and upgrading EOL hardware.
Technical detail and additional information
What is the threat?
A remote code execution vulnerability in certain Cisco’s switches could allow an attacker to hijack their target’s session, gaining access to the web-based management interface.
Why is this noteworthy?
If your network switch is compromised, your entire network is at the mercy of the attacker. They could completely incapacitate your network by erasing your switch configuration as well as locking out your network admin accounts which would prevent them from remediating the issue.
What is the exposure or risk?
If the threat actor has compromised an administrator account, they could disable security features on your Cisco switches, which could aid the attacker in data exfiltration. For example, ARP cache poisoning, a type of attack where the attacker spoofs the MAC address to steal network traffic meant for another machine.
What are the recommendations?
SKOUT recommends installing the patch released by Cisco. If your Cisco device is end of life, we highly recommend reaching out to your Cisco vendor to update the necessary hardware.
Security updates for the Cisco products affected:
| Product | Status |
| 250 Series Smart Switches | Patch Available |
| 350 Series Managed Switches | Patch Available |
| 350X Series Stackable Managed Switches | Patch Available |
| 550X Series Stackable Managed Switches | Patch Available |
| Small Business 200 Series Smart Switches | No Patch Available / End of Life |
| Small Business 300 Series Smart Switches | No Patch Available / End of Life |
| Small Business 500 Series Stackable Managed Switches | No Patch Available / End of Life |
Link to Patch Downloads:
The patch is available from Cisco’s Software Center on Cisco.com. Click “Browse all” and navigate to Switches > LAN Switches – Small Business.
References:
- https://threatpost.com/cisco-warns-high-severity-bug-small-business-switch/157090/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbswitch-session-JZAS5jnY
- https://nvd.nist.gov/vuln/detail/CVE-2020-3297
- https://en.wikipedia.org/wiki/ARP_spoofing
If you have any questions, please contact our Security Operations Center.
