SMALL CISCO SWITCH SOFTWARE
This flaw (CVE-2020-3324) also stems from insufficient validation of incoming IPv6 traffic and could enable an unauthenticated, remote attacker to launch a DoS attack on affected devices.Īnother high-severity flaw (CVE-2020-3411) in Cisco’s DNA Center software could allow an unauthenticated remote attacker access to sensitive information on impacted systems. Cisco StarOS is a virtualized software architecture that spans the ASR (Aggregation Services Routers) 5000 Series. One of those is a similar vulnerability in the IPv6 implementation of Cisco StarOS.
“There are no workarounds that address this vulnerability.”īeyond this flaw, Cisco fixed three other high-severity vulnerabilities, with a slew of Thursday security advisories. “Cisco has released software updates that address this vulnerability for devices that have not reached the end of software maintenance,” Cisco said. This flaw specifically affects IPv6 traffic – IPv4 traffic (the IP that IPv6 replaced) is not affected, said Cisco. The Cisco Product Security Incident Response Team (PSIRT) said it is not aware of any public announcements or malicious use of the vulnerability. In July, Cisco warned that it wasn’t issuing firmware updates in the three switches to address a high-severity flaw that could allow remote, unauthenticated attackers to access the switches’ management interfaces with administrative privileges. It’s not the first time that end of life (EoL) has stopped Cisco from issuing patches for these specific switches when they were vulnerable.
SMALL CISCO SWITCH SERIES
Those are: Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches and Small Business 500 Series Stackable Managed Switches. Updates are available for these products in Release 2.5.5.4.7.Īlso affected by the flaw are three series of switches that have reached the end-of-software-maintenance milestone, meaning they will not receive patches. These switch lineups range in functionality and price, but all were released between 20, and all are web-managed, entry-level devices intended for small businesses. “A successful exploit could allow the attacker to cause an unexpected reboot of the switch, leading to a DoS condition.”Ĭisco switches affected by this flaw include: 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches, 550X Series Stackable Managed Switches. “An attacker could exploit this vulnerability by sending a crafted IPv6 packet through an affected device,” said Cisco in its Wednesday advisory. The flaw (CVE-2020-3363), which has a CVSS score of 8.6 out of 10, is due to insufficient validation of incoming IPv6 traffic. IPv6 (also known as Internet Protocol version 6) is the most recent version of the Internet Protocol (IP), the communications protocol that provides an identification system for computers on networks and routes traffic across the Internet. The vulnerability stems from the IPv6 packet processing engine in the switches.
Cisco is warning of a high-severity flaw that could allow remote, unauthenticated attackers to cripple several of its popular small-business switches with denial of service (DoS) attacks.