Universal Plug-and-Play remains a gift-that-keeps-on-giving for infosec researchers, with Cisco announcing a critical vulnerability in the software that plagues its CVR100W wireless VPN router.
Because the CVR100W doesn't fully range-check UPnP input data, an attacker can crash the device, possibly getting access to a root shell.
Cisco's advisory says: “This vulnerability affects all firmware releases of the Cisco CVR100W Wireless-N VPN Router prior to Firmware Release 126.96.36.199”.
The bug was reported by GeekPwn and has been patched.
Switchzilla's Wednesday patchfest this week also includes three security vulnerabilities given a high rating:
- A denial-of-service bug in routers running IOS XR: the Event Management Service Daemon has a bug in gRPC request handling that can be exploited to crash the unit;
- TelePresence has a “ping of death” bug in its ICMP packet ingress processing, on both IPv4 and IPv6 traffic;
- Aironet 1800, 2800 and 3800 access points have a plug-and-play vulnerability. While PNP can be crashed through to a root shell, PNP is only active on unconfigured devices.
There are also medium-rated bugs in Cisco's Wide Area Application Services; the FirePOWER module in Firepower Threat Defense and ASA; its Unified Contact Center Enterprise Finesse notification service; the access control list for CVR100W wireless routers; the Unity Connection voicemail system; and Call Manager Express. ®