behemoth Cisco has rolled out an important firmware update for users of its 220
Series smart switches after a researcher discovered three security flaws in the
systems, including two deemed critical.

In typical
bug-reporting fashion, Switchzilla has published separate advisories for all
three vulnerabilities, labeling them by severity. All three flaws are found in
the web management interface. Bugs CVE-2019-1912 and CVE-2019-1913 are considered critical.

If exploited
correctly, the first could allow an unauthenticated, remote attacker to upload
arbitrary files and modify the configuration of an affected device, or to
inject a reverse shell. The second vulnerability could let an unauthenticated,
remote attacker overflow a buffer, which would then allow execution of
arbitrary code with root privileges on the operating system. The third bug, CVE-2019-1914, could allow an authenticated,
remote attacker to perform a command injection attack. The severity of this bug
is rated “medium,” but a successful exploit could “allow the attacker to
execute arbitrary shell commands with the privileges of the root user,”
according to the advisory.

Cisco has
released a software update that addresses all three vulnerabilities. The
company is careful to point out that no workarounds address these bugs, so
users are urged to update their firmware versions to as soon as
possible. At the time of this writing, there were no reports of these
vulnerabilities being exploited in the wild.