Security News > 2021 > June > Cisco Smart Switches Riddled with Severe Security Holes

Cisco Smart Switches Riddled with Severe Security Holes
2021-06-17 19:30

Cisco has flagged and patched several high-severity security vulnerabilities in its Cisco Small Business 220 Series Smart Switches that could allow session hijacking, arbitrary code execution, cross-site scripting and HTML injection.

Finally, CVE-2021-1571 could allow an unauthenticated, remote attacker to conduct a HTML injection attack.

The other high-severity bugs that Cisco addressed on Wednesday include the certificate-validation vulnerability in the Cisco Email Security Appliance and Cisco Web Security Appliance.

It exists in the way the Cisco Advanced Malware Protection for Endpoints integrates Cisco AsyncOS. If exploited, the bug could allow an unauthenticated, remote attacker to intercept traffic between an affected device and the AMP servers.

Finally, a vulnerability in the DLL loading mechanism of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack.

"An attacker could exploit this vulnerability by sending a series of crafted interprocess communication messages to the AnyConnect process. A successful exploit could allow the attacker to execute arbitrary code on the affected device with SYSTEM privileges. To exploit this vulnerability, the attacker must have valid credentials on the Windows system."


News URL

https://threatpost.com/cisco-smart-switches-security-holes/167031/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-06-16 CVE-2021-1571 Cross-site Scripting vulnerability in Cisco products
Multiple vulnerabilities in the web-based management interface of Cisco Small Business 220 Series Smart Switches could allow an attacker to do the following: Hijack a user session Execute arbitrary commands as a root user on the underlying operating system Conduct a cross-site scripting (XSS) attack Conduct an HTML injection attack For more information about these vulnerabilities, see the Details section of this advisory.
network
low complexity
cisco CWE-79
6.1

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Cisco 2046 21 1773 1669 288 3751