Cisco released patches to fix several critical security vulnerabilities in its Small Business VPN routers. The vulnerabilities could enable remote attackers to perform arbitrary code execution attacks and trigger denial-of-service (DoS).
CVE-2021-1609 and CVE-2021-1610 in Cisco Small Busines Routers
Tracked in the CVE-2021-1609 and CVE-2021-1610 advisories, the flaws are rated 9.8 and 7.2 according to CVSS scale, respectively. More specifically, the vulnerabilities are located in the web-based management interface of the Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers that run a firmware release prior to version 1.0.03.22. Both vulnerabilities are caused by a lack of proper validation of HTTP requests, which enables threat actors to send a specially-crafted HTTP request to a vulnerable device.
According to the official Cisco advisory, multiple vulnerabilities exist in the web-based management interface of the Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers. These could allow an attacker to perform the following malicious actions:
- Arbitrary code execution;
- Execution of arbitrary commands;
- Denial-of-service.
“The web-based management interface for these devices is available through local LAN connections by default and cannot be disabled there. The interface can also be made available through the WAN interface by enabling the remote management feature. By default, the remote management feature is disabled on affected devices,” Cisco noted.
Users are advised to check whether the remote management feature is enabled for their VPN devices. To do so, you should open the web-based management interface via a local LAN connection, and select Basic Settings, then Remote Management.
Fortunately, so far there is no evidence that the vulnerabilities have been (or are currently) exploited in the wild.
68 Vulnerabilities in Cisco’s Small Business Routers RV110W, RV130, RV130W, and RV215W
Earlier this year, the company discovered that Cisco’s Small Business RV110W, RV130, RV130W, and RV215W routers contained 68 vulnerabilities. However, Cisco said it didn’t plan on fixing them. Instead, “customers are advised to refer to the end-of-life notices for these products,” the advisory explained.
The vulnerabilities in these specific Cisco routers existed because user-supplied input to the web-based management interface was not validated correctly. This could allow attackers to send crafted HTTP requests and carry out arbitrary code execution with root privileges. The vulnerable devices could also be restarted unexpectedly due to the exploit, leading to a denial-of-service condition.