Several Cisco switches suitable for small business use have been found to be vulnerable to a serious security issue that could result in attackers gaining unauthorized access to the management console. While Cisco reports that no exploits for this vulnerability (CVE-2020-3297) have yet been seen, the nature of this issue suggests a proof of concept would not be difficult to create.
Affected Devices
The switches affected by this vulnerability are:
- 250 Series Smart Switches
- 350 Series Managed Switches
- 350X Series Stackable Managed Switches
- 550X Series Stackable Managed Switches
- Small Business 200 Series Smart Switches
- Small Business 300 Series Managed Switches
- Small Business 500 Series Stackable Managed Switches
Remediation
Cisco has released a firmware update to fix this issue for the following devices:
- Cisco 250 Series Smart Switches
- 350 Series Managed Switches
- 350X Series Stackable Managed Switches
- 550X Series Stackable Managed Switches
However, Cisco has confirmed that they “will not provide a firmware fix” for the following devices as they are past their End-of-Life date:
- Small Business 200 Series Smart Switches
- Small Business 300 Series Managed Switches
- Small Business 500 Series Stackable Managed Switches