Critical vulnerabilities in Cisco Smart Software Manager, Cisco Small Business SPA300 Series and SPA500 Series (CVE-2024-20419, CVE-2024-20450, CVE-2024-20452, CVE-2024-20454)

Advisory No: TZCERT/SA/2024/08/09-1

Date of First Release: 09^th August 2024

Source: Cisco

Software Affected: Cisco Smart Software Manager, Cisco Small Business SPA300 Series and SPA500 Series

Overview:

Cisco products are affected by critical vulnerabilities. The vulnerabilities could allow an attacker to execute arbitrary code, or cause a denial of service (DoS) condition on the affected device.

Description:

Cisco Smart Software Manager, Cisco Small Business SPA300 Series, and SPA500 Series are affected by critical vulnerabilities tracked as CVE-2024-20419, CVE-2024-20450, CVE-2024-20452, CVE-2024-20454 with base scores ranging from 9.8 to 10. The vulnerabilities are due to improper implementation of the password-change process, and because incoming HTTP packets are not properly checked for errors, which could result in a buffer overflow. The vulnerabilities allow the unauthenticated remote attacker to access the web UI or API with the privileges of the compromised user, and execute arbitrary commands on the underlying operating system or cause a denial of service (DoS) condition.

Impact:

Successful exploitation of these vulnerabilities may allow the attacker to take control of the affected system or cause a denial of service condition.

Solution:

Cisco has released patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References:

1. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy
2. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-http-vulns-RJZmX2Xz