Multiple vulnerabilities in Cisco Business 220 Series Smart Switches

Published: 2021-10-07

Risk	Low
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2021-34744 CVE-2021-34757
CWE-ID	CWE-540
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Cisco Small Business 220 Series Smart Switches Hardware solutions / Routers & switches, VoIP, GSM, etc
Vendor	Cisco Systems, Inc

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Inclusion of Sensitive Information in Source Code

EUVDB-ID: #VU57106

Risk: Low

CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-34744

CWE-ID: CWE-540 - Inclusion of Sensitive Information in Source Code

Exploit availability: No

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to the use of a static cryptographic key. A remote administrator can obtain sensitive login credentials for other applications.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Cisco Small Business 220 Series Smart Switches: 1.2.0.6

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-hardcoded-cred-MJCEXvX

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Inclusion of Sensitive Information in Source Code

EUVDB-ID: #VU57107