Image: Cisco // Composition: ZDNet

Cisco has patched today three dangerous bugs in one of its most popular products, the Cisco Small Business 220 Series of smart switches.

The three bugs are an authentication bypass (CVE-2019-1912, rated Critical, rating of 9.1 out of 10), a remote code execution (CVE-2019-1913, rated Critical, rating of 9.8 out of 10), and a command injection (CVE-2019-1914, rated Mediu, rating of 7.2 out of 10).

Of the three, the first two are the most dangerous because they can be exploited by remote attackers over the internet without needing to authenticate on the device. This means that any Cisco 220 Series smart switch that is reachable over the internet can be attacked.

In a security advisory published today, Cisco said attackers can leverage the authentication bypass vulnerability to upload files on Cisco 220 switches, either to replace configuration files or plant a reverse shell.

The second bug, and the most dangerous of the three, allows attackers to run malicious code with root privileges, effectively allowing attackers to take over devices with a simple HTTP or HTTPS request aimed at unpatched switches.

Patches and basic mitigations are available

The good news is that the three vulnerabilities reside in the switches' web management interface. Device owners can either turn off the web management interface or install the updates Cisco released today.

The company fixed the three bugs in Cisco Small Business 220 Series Smart Switches firmware version 1.1.4.4. All previous versions are to be considered vulnerable, the device maker said.

Cisco credited security researcher bashis for reporting the vulnerabilities through the VDOO Disclosure Program.

However, attackers interested in taking over Cisco routers are currently free to reverse-engineer the firmware and discover a way to exploit the three security flaws on their own.

All three bugs can be integrated into automated exploitation tools and then embedded into botnet scanners to start attacks.

Cisco devices are one of the most targeted equipment brands on the internet today, mainly because of their wide adoption. There is always one or more threat actors looking for vulnerable Cisco gear any day of the week, according to Bad Packets, a cyber-security firm that keeps track of botnet activity and malicious internet scanning.

Mass scanning activity detected checking for Cisco RV320/RV325 routers vulnerable to CVE-2019-1653 (https://t.co/nWQNYOAk4s).

Scans started at 2019-07-30T13:29:19Z and ended at 2019-07-30T18:55:43Z.

Scans originated from https://t.co/MR8pU8kJCb (@BitSight). pic.twitter.com/PKZdPx4NGL — Bad Packets Report (@bad_packets) July 31, 2019

⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️

Mass scanning activity detected from 198.12.64.10 (🇺🇸) checking for Cisco RV132W/RV134W routers vulnerable to sensitive information disclosure leading to RCE or DoS (CVE-2018-0125 / CVE-2018-0127 https://t.co/r39NEvZcYk).#threatintel pic.twitter.com/JuZS8orUrg — Bad Packets Report (@bad_packets) August 1, 2019

More vulnerability reports: