Cisco 220 Series Smart Switch owners told to apply urgent patch

Businesses running any of Cisco’s 220 Series Smart Switches have some urgent patching work on their hands after the company announced that three serious flaws have been discovered by a researcher in its web management.

Two of the three flaws – CVE-2019-1913 and CVE-2019-1912 – are rated ‘critical’ because they allow attackers to execute remote code execution (RCE) and authentication bypass, respectively.

This means that hackers could gain root and compromise the switches by sending malicious requests.

Being able to do this does depends on whether HTTP/HTTPS is enabled (the switches can also be managed using the command line or using SNMP), which can be determined by entering the show running-config command on via the command line.

The switch is not vulnerable if the following lines appear in the configuration:

no ip http server

no ip http secure server

The web management feature is enabled under Security > TCP/UDP Service.

The third flaw – CVE-2019-1914 – is a command injection issue that is less dangerous because an attacker would first need to authenticate themselves by stealing or cracking the management credentials.

Announced in 2014, the 220 Series would make an inviting target for any hackers simply because it’s a small business product used by large numbers of customers across the world.

The list of affected 220 Series models: SG220-50P, SG220-50, SG220-26P, SG220-26, SF220-48P, SF220-48, SF220-24P, SF220-24.

All three vulnerabilities were discovered by a researcher identified as ‘bashis’ and fed to Cisco through the disclosure program run by Israeli company VDOO which last year discovered security flaws in Foscam webcams.

What to do

For networks using the web management interface, the only solution is to apply firmware version (all previous versions are vulnerable). Although Cisco says no mitigations are possible, logically, a short-term mitigation would be to turn off the management interface.

The 220 Series appears to have been patched for another medium-rated flaw in early 2019, with four further flaws fixed during the course of 2016.