Cisco addressed high-severity flaws in Small Business Switches that can be exploited to access sensitive device data and to trigger a DoS condition.
Cisco released security patches
Both issues could be exploited by remote, unauthenticated attackers, they were reported by Ken Pyle of DFDR Consulting.
The first vulnerability, tracked as CVE-2019-15993, is an information disclosure issue that is caused by the lack of proper authentication controls. The vulnerability can be exploited by attackers by sending specially crafted HTTP requests to the user interface of vulnerable Cisco Small business Switches.
“A vulnerability in the web UI of Cisco Small Business Switches could allow an unauthenticated, remote attacker to access sensitive device information.” reads the security advisory published by Cisco. “The vulnerability exists because the software lacks proper authentication controls to information accessible from the web UI. An attacker could exploit this vulnerability by sending a malicious HTTP request to the web UI of an affected device. A successful exploit could allow the attacker to access sensitive device information, which includes configuration files.”
The second vulnerability is a
“A vulnerability in the web UI of Cisco Small Business Switches could allow an
“The vulnerability is due to improper validation of requests sent to the web interface. An attacker could exploit this vulnerability by sending a malicious request to the web interface of an affected device. A successful exploit could allow the attacker to cause an unexpected reload of the device, resulting in a
Cisco is not aware of any attacks exploiting the vulnerabilities in the wild.
This week Cisco has also addressed a high-severity flaw in the Cisco Webex video conferencing platform (CVE-2020-3142) that could be exploited by a remote, unauthenticated attacker to enter a password-protected video conference meeting.
In order to exploit the CVE-2020-3142 flaw, the attacker only needs to know the meeting ID that once inserted in the Webex mobile application for either iOS or Android will allow him to join the meeting bypassing any authentication.