SB2020070209 - Multiple vulnerabilities in Cisco Small Business Smart and Managed Switches

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Authentication (CVE-ID: CVE-2020-3297)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the use of weak entropy generation for session identifier values. A remote attacker can perform a brute-force attack to determine a current session identifier, bypass authentication process and gain unauthorized access to the application.

2) Input validation error (CVE-ID: CVE-2020-3363)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in the IPv6 packet processing engine. A remote attacker can send a specially crafted IPv6 packet and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbswitch-session-JZAS5jnY
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbss-ipv6-dos-3bLk6vA