CVE-2024-20263

Summary

A vulnerability with the access control list (ACL) management within a stacked switch configuration of Cisco Business 250 Series Smart Switches and Business 350 Series Managed Switches could allow an unauthenticated, remote attacker to bypass protection offered by a configured ACL on an affected device. This vulnerability is due to incorrect processing of ACLs on a stacked configuration when either the primary or backup switches experience a full stack reload or power cycle. An attacker could exploit this vulnerability by sending crafted traffic through an affected device. A successful exploit could allow the attacker to bypass configured ACLs, causing traffic to be dropped or forwarded in an unexpected manner. The attacker does not have control over the conditions that result in the device being in the vulnerable state. Note: In the vulnerable state, the ACL would be correctly applied on the primary devices but could be incorrectly applied to the backup devices.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco Small Business Smart and Managed Switches2.0.0.73affected
CiscoCisco Small Business Smart and Managed Switches2.1.0.63affected
CiscoCisco Small Business Smart and Managed Switches2.2.0.63affected
CiscoCisco Small Business Smart and Managed Switches2.2.0.66affected
CiscoCisco Small Business Smart and Managed Switches2.2.5.68affected
CiscoCisco Small Business Smart and Managed Switches2.2.7.07affected
CiscoCisco Small Business Smart and Managed Switches2.2.8.04affected
CiscoCisco Small Business Smart and Managed Switches2.3.0.130affected
CiscoCisco Small Business Smart and Managed Switches2.3.5.63affected
CiscoCisco Small Business Smart and Managed Switches2.4.0.91affected
CiscoCisco Small Business Smart and Managed Switches2.4.0.94affected
CiscoCisco Small Business Smart and Managed Switches2.4.5.71affected
CiscoCisco Small Business Smart and Managed Switches2.5.0.78affected
CiscoCisco Small Business Smart and Managed Switches2.5.0.79affected
CiscoCisco Small Business Smart and Managed Switches2.5.0.82affected
CiscoCisco Small Business Smart and Managed Switches2.5.0.83affected
CiscoCisco Small Business Smart and Managed Switches2.5.0.89affected
CiscoCisco Small Business Smart and Managed Switches2.5.0.90affected
CiscoCisco Small Business Smart and Managed Switches2.5.0.92affected
CiscoCisco Small Business Smart and Managed Switches2.5.5.47affected
CiscoCisco Small Business Smart and Managed Switches2.5.7.85affected
CiscoCisco Small Business Smart and Managed Switches2.5.8.12affected
CiscoCisco Small Business Smart and Managed Switches2.5.8.15affected
CiscoCisco Small Business Smart and Managed Switches2.5.9.13affected
CiscoCisco Small Business Smart and Managed Switches2.5.9.15affected
CiscoCisco Small Business Smart and Managed Switches2.5.9.16affected
CiscoCisco Small Business Smart and Managed Switches3.0.0.61affected
CiscoCisco Small Business Smart and Managed Switches3.0.0.69affected
CiscoCisco Small Business Smart and Managed Switches3.1.0.57affected
CiscoCisco Small Business Smart and Managed Switches3.1.1.7affected
CiscoCisco Small Business Smart and Managed Switches3.2.0.84affected
CiscoCisco Small Business Smart and Managed Switches3.2.0.89affected
CiscoCisco Small Business Smart and Managed Switches3.2.1.1affected
CiscoCisco Small Business Smart and Managed Switches3.3.0.16affected

Weaknesses

  • CWE-284: Improper Access Control

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References