Cisco fixes critical code execution bugs in SMB VPN routers

[mood]

Cisco fixes critical code execution bugs in SMB VPN routers

 

 

Cisco has addressed multiple pre-auth remote code execution (RCE) vulnerabilities affecting several small business VPN routers and allowing attackers to execute arbitrary code as root on successfully exploited devices.

 

The root user is the system's superuser on Unix operating systems, a special user account usually used only for system administration tasks.

 

The security bugs with a severity rating of  9.8/10 were found in the web-based management interface of Cisco small business routers.

 

"These vulnerabilities exist because HTTP requests are not properly validated," Cisco explains in an advisory published earlier today.

 

"An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device."

Security update available for all vulnerable routers

According to Cisco, the following Small Business Routers are vulnerable to attacks attempting to exploit these vulnerabilities if running a firmware version earlier than Release 1.0.01.02:

• RV160 VPN Router
• RV160W Wireless-AC VPN Router
• RV260 VPN Router
• RV260P VPN Router with POE
• RV260W Wireless-AC VPN Router

 

Cisco says that its Dual WAN Gigabit VPN Routers (including RV340, RV340W, RV345, and RV345P) are not affected.

 

The company has fixed the vulnerabilities in firmware releases 1.0.01.02 and later issued for all impacted routers.

 

To update your router to the latest release, you have to go to the Cisco Software Center and follow this procedure:

1. Click Browse all.
2. Choose Routers > Small Business Routers > Small Business RV Series Routers.
3. Choose the appropriate router.
4. Choose Small Business Router Firmware.
5. Choose a release from the left pane of the product page.

No public exploits or active exploitation

Luckily, even if you cannot immediately patch vulnerable routers, the Cisco Product Security Incident Response Team (PSIRT) says that it isn't "aware of any public announcements or malicious use of the vulnerabilities."

 

The vulnerabilities were discovered and reported to Cisco by T. Shiomitsu, swings of Chaitin Security Research Lab, and simp1e of 1AQ Team.

 

Cisco today has also addressed high severity vulnerabilities impacting other business routers and the IOS XR software.

 

Last month, Cisco has also patched several pre-auth RCE vulnerabilities affecting multiple SD-WAN products and the Cisco Smart Software Manager software.

 

 

Source: Cisco fixes critical code execution bugs in SMB VPN routers

[aum]

 

Cisco has rolled out fixes for multiple critical vulnerabilities in the web-based management interface of Small Business routers that could potentially allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device.

 

The flaws — tracked from CVE-2021-1289 through CVE-2021-1295 (CVSS score 9.8) — impact RV160, RV160W, RV260, RV260P, and RV260W VPN routers running a firmware release earlier than Release 1.0.01.02.

 

Along with the aforementioned three vulnerabilities, patches have also been released for two more arbitrary file write flaws (CVE-2021-1296 and CVE-2021-1297) affecting the same set of VPN routers that could have made it possible for an adversary to overwrite arbitrary files on the vulnerable system.

 

All the nine security issues were reported to the networking equipment maker by security researcher Takeshi Shiomitsu, who has previously uncovered similar critical flaws in RV110W, RV130W, and RV215W Routers that could be leveraged for remote code execution (RCE) attacks.

 

While exact specifics of the vulnerabilities are still unclear, Cisco said the flaws —

• CVE-2021-1289, CVE-2021-1290, CVE-2021-1291, CVE-2021-1292, CVE-2021-1293, CVE-2021-1294, and CVE-2021-1295 are a result of improper validation of HTTP requests, allowing an attacker to craft a specially-crafted HTTP request to the web-based management interface and achieve RCE.

• CVE-2021-1296 and CVE-2021-1297 are due to insufficient input validation, permitting an attacker to exploit these flaws using the web-based management interface to upload a file to a location that they should not have access to.

Separately, another set of five glitches (CVE-2021-1314 through CVE-2021-1318) in the web-based management interface of Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 routers could have granted an attacker the ability to inject arbitrary commands on the routers that are executed with root privileges.

 

Lastly, Cisco also addressed 30 additional vulnerabilities (CVE-2021-1319 through CVE-2021-1348), affecting the same set of products, that could allow an authenticated, remote attacker to execute arbitrary code and even cause a denial-of-service condition.

 

"To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on the affected device," Cisco said in an advisory published on February 3.

 

Kai Cheng from the Institute of Information Engineering, which is part of the Chinese Academy of Sciences, has been credited with reporting the 35 flaws in the router management interface.

 

The company also noted there's been no evidence of active exploitation attempts in the wild for any of these flaws, nor are there any workarounds that address the vulnerabilities.

 

Source

[Karlston]

Similar topic merged.