Cisco is warning of a high-level vulnerability in its package of small business smart and managed switches that could allow an unauthorized remote attacker to cause a denial of service attack on an affected device.
According to a Cisco advisoryv, the vulnerability, CVE-2020-3363, is due to insufficient validation of incoming IPv6 packet through an affected device.
The vulnerability, which has a CVSS score of 8.6, could allow an attacker to exploit the vulnerability by sending a crafted IPv6 packet through the device and cause an unexpected reboot of the switch, leading to a DoS condition, according to Cisco.
These Cisco switches are affected:
- 250 Series Smart Switches
- 350 Series Managed Switches
- 350X Series Stackable Managed Switches
- 550X Series Stackable Managed Switches
- Small Business 200 Series Smart Switches
- Small Business 300 Series Managed Switches
- Small Business 500 Series Stackable Managed Switches
Users ae urged to patch the vulnerability via a free software update in release 18.104.22.168 for the 250 Series Smart Switch, 350 Series Managed Switch, 350X Series Stackable Managed Switch and 550X Series Stackable Managed Switch.
However, the Small Business 200 Series Smart Switch, Small Business 300 Series Managed Switch and Small Business 500 Series Stackable Managed Switches have passed the end-of-software maintenance milestone and Cisco will not be providing a firmware fix for those.
The company said it is unaware of any exploits in the wild. The vulnerability was found during internal testing.