Security News > 2021 > June > Cisco Smart Switches Riddled with Severe Security Holes

Cisco has flagged and patched several high-severity security vulnerabilities in its Cisco Small Business 220 Series Smart Switches that could allow session hijacking, arbitrary code execution, cross-site scripting and HTML injection.

Finally, CVE-2021-1571 could allow an unauthenticated, remote attacker to conduct a HTML injection attack.

The other high-severity bugs that Cisco addressed on Wednesday include the certificate-validation vulnerability in the Cisco Email Security Appliance and Cisco Web Security Appliance.

It exists in the way the Cisco Advanced Malware Protection for Endpoints integrates Cisco AsyncOS. If exploited, the bug could allow an unauthenticated, remote attacker to intercept traffic between an affected device and the AMP servers.

Finally, a vulnerability in the DLL loading mechanism of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack.

"An attacker could exploit this vulnerability by sending a series of crafted interprocess communication messages to the AnyConnect process. A successful exploit could allow the attacker to execute arbitrary code on the affected device with SYSTEM privileges. To exploit this vulnerability, the attacker must have valid credentials on the Windows system."

News URL

https://threatpost.com/cisco-smart-switches-security-holes/167031/