Access Control Bypass in Cisco Business 250 and 350 Series Switches
CVE-2024-20263

7.2HIGH

Key Information:

Vendor: Cisco
Status: Cisco Small Business Smart and Managed Switches
Vendor: CVE Published:; 26 January 2024

Summary

A vulnerability exists in the access control list (ACL) management within the stacked switch configuration of Cisco Business 250 Series Smart Switches and Business 350 Series Managed Switches. This flaw allows an unauthenticated, remote attacker to bypass ACL protections when a primary or backup switch undergoes a full stack reload or power cycle. The vulnerability arises from improper handling of ACLs in a stacked configuration, leading to potential manipulation of traffic flow. An attacker can exploit this by sending specially crafted traffic through an affected device, resulting in unexpected traffic management outcomes. It is important to note that while ACLs are properly enforced on primary devices, the potential for inconsistent application on backup devices could lead to security breaches.

Affected Version(s)

Cisco Small Business Smart and Managed Switches 2.0.0.73

Cisco Small Business Smart and Managed Switches 2.1.0.63

Cisco Small Business Smart and Managed Switches 2.2.0.63

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jan 26, 2024
Vulnerability Reserved
Nov 8, 2023