Organizations using Cisco Small Business 220 Series switches should make sure the firmware on the device is up-to-date with today's update from the networking box maker. Switchzilla says the SMB switches are host to the following three serious flaws that could allow an attacker to remotely upload files to, execute code on, and inject commands into a vulnerable switch.
CVE-2019-1013 is a root-level remote-code execution vulnerability stemming from a buffer overflow. To exploit the flaw, an unauthenticated attacker must send a specially-crafted packet through the web management interface via HTTP or HTTPS. Credit for discovery was given to "bashis" via the Vdoo Disclosure Program.
CVE-2019-1012 is an authentication bypass flaw that would result in the intruder being able to upload arbitrary files to the device. That bug can also be exploited via HTTP or HTTPS packets sent through the web interface. In this case, the flaw is due to incomplete authorization checks. Credit for reporting the bug was again given to "bashis" via the Vdoo Disclosure Program.
CVE-2019-1014 is a command injection flaw in the 220 Series switches that acts more like an elevation of privilege. To exploit the bug, an attacker must have a valid web management interface login with level 15 privileges. If those requirements are met, a malicious request could be sent to kick off arbitrary shell commands run with root privileges. The flaw was found and reported by – you guessed it – "bashis" from the Vdoo Disclosure Program.