Public exploit code for critical flaws in its 220 Series smart switches
Users of Cisco UCS Director and Cisco UCS Director Express for Big Data are advised to upgrade to versions 6.7.3.0 and 3.7.3.0, respectively, as they fix, among other things:
- CVE-2019-1974, an authentication bypass vulnerability that could allow an unauthenticated, remote attacker to bypass user authentication and gain access as an administrative user.
- CVE-2019-1938, an API authentication bypass vulnerability that could be triggered by a specially crafted HTTP requests sent to an affected device and could allow the attacker to execute arbitrary actions with administrator privileges on an affected system
- CVE-2019-1937, another authentication bypass flaw that could allow an unauthenticated, remote attacker to acquire a valid session token with administrator privileges.
- CVE-2019-1935, a documented default account with an undocumented default password and incorrect permission settings that could allow an attacker to log in to an affected system and execute arbitrary commands with the privileges of the scpuser account (this includes full read and write access to the system’s database).
Cisco already pointed to the relevant security updates for Cisco 220 Series smart switches earlier this month, but they are now saying that public exploit code for all three of the fixed vulnerability exists, so users should upgrade their switches’ firmware to releases 1.1.4.4 and later as soon as possible.
Among the other fixes of particular note in this batch are those for:
- CVE-2019-9506, a Bluetooth key negotiation vulnerability that can be exploited in a KNOB attack. It affects Cisco’s Webex endpoints and several series of IP phones.
- CVE-2019-1649, a Secure Boot flaw that could allow an attacker with local access to modify the firmware of many of Cisco’s solutions, including its Adaptive Security Appliances (ASA), Firepower switches, and a huge number of router models.