Cisco SMB kit harbors cross-site scripting bug: One wrong link click... and that's your router pwned remotely

VPN gear vulnerable to remote hijackings

Cisco has patched a cross-site scripting vulnerability in two VPN routers it sells to small businesses and branch offices.

The software update addresses CVE-2020-3431, a bug present in the Cisco Small Business RV042 Dual WAN VPN Router and Cisco Small Business RV042G Dual Gigabit WAN VPN Router. We're told this flaw can be exploited by "an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device."

In other words, if someone tricks you into clicking on a specially crafted link in a browser, for instance, they can potentially access your equipment's management interface as you, changing or snooping on your configuration settings to gain further access or cause mischief. This requires the web-based interface to be enabled. By default, the management feature is disabled for remote users, though it is enabled for people on the same LAN.

"A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information," Cisco explained in its advisory yesterday.

"The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link.

"To determine whether the remote management feature is enabled for a device, open the web-based management interface through a local LAN connection and choose Basic Settings > Remote Management. If the 'Enable' check box is checked, remote management is enabled for the device."

woman yawns

Bored at home? Cisco has just the thing: A shed-load of security fixes to install, from a Kerberos bypass to crashes


Switchzilla said it squashed the bug in its firmware update for both models.

While Cisco classified CVE-2020-3431 as a "moderate" security risk, infosec outfit CyCognito, which discovered and reported the vulnerability, told The Register on Wednesday that in the worst-case scenario, a miscreant could exploit the flaw to ultimately take complete control of the device before moving laterally.

The attacker could, say, send a network administrator an email containing a link to a page that exploited the XSS bug to hijack the VPN gateway.

"Once he clicks on the link we can run the web page, we can basically control his administrator account, we can get credentials," explained CyCognito head of security research Alex Zaslavsky, who, along with researcher Chen Bremer, was credited with finding the bug. "Web connections can be very powerful, once we get his credentials we can change anything."

While working in the field with a large unnamed customer, CyCognito uncovered the flaw in a router in a branch office, we're told. CyCognito then investigated the issue and, after figuring out the details of the vulnerability, reported it to Cisco for patching. Last night, Cisco said it was "not aware of any public announcements or malicious use of the vulnerability." ®

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022