Cisco has patched a High severity Cisco small business switch vulnerability (CVE-2020-3297) and 7 other Medium rated issues that affect multiple Cisco products.
The vulnerability CVE-2020-3297 exists in session management for the web-based interface of Cisco Small Business Smart and Managed Switches.
As a result, a remote unauthenticated attacker could defeat authentication protections and gain unauthorized access to the management interface.
“The vulnerability is due to the use of weak entropy generation for session identifier values. An attacker could exploit this vulnerability to determine a current session identifier through brute force and reuse that session identifier to take over an ongoing session. In this way, an attacker could take actions within the management interface with privileges up to the level of the administrative user,” Cisco warned in the advisory.
In addition, Cisco also patched seven other Medium vulnerabilities in the following products:
- CVE-2020-3431: Cisco Small Business RV042 and RV042G Routers Cross-Site Scripting Vulnerability
- CVE-2020-3340: Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities
- CVE-2020-3391: Cisco Digital Network Architecture Center Information Disclosure Vulnerability
- CVE-2020-3402: Cisco Unified Customer Voice Portal Information Disclosure Vulnerability
- CVE-2020-3420: Cisco Unified Communications Manager Stored Cross-Site Scripting Vulnerability
- CVE-2020-3282: Cisco Unified Communications Products Cross-Site Scripting Vulnerability
- CVE-2020-3432: Cisco AnyConnect Secure Mobility Client for Mac OS File Corruption Vulnerability
Network administrators should apply the necessary updates as soon as possible.