Overview

Cisco products are affected by critical vulnerabilities. The vulnerabilities could allow an attacker to execute arbitrary code or cause a denial of service (DoS) condition on the affected device.

Description

Cisco Smart Software Manager, Cisco Small Business SPA300 Series, and SPA500 Series are affected by critical vulnerabilities tracked as CVE-2024-20419, CVE-2024-20450, CVE-2024-20452, CVE-2024-20454 with base scores ranging from 9.8 to 10. The vulnerabilities are due to improper implementation of the password-change process, and because incoming HTTP packets are not properly checked for errors, which could result in a buffer overflow. The vulnerabilities allow the unauthenticated remote attacker to access the web UI or API with the privileges of the compromised user and execute arbitrary commands on the underlying operating system or cause a denial of service (DoS) condition.

Impact

Successful exploitation of these vulnerabilities may allow the attacker to take control of the affected system or cause a denial of service condition.

Solution

Cisco has released patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References

• 1. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy
• 2. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-http-vulns-RJZmX2Xz