Cisco reveals critical bug in small biz VPN routers when half the world is stuck working at home

And we all know how good small business are at patching... NOT

Cisco has addressed a clutch of critical vulnerabilities in its small business and VPN routers that can be exploited by an unauthenticated, remote attacker to execute arbitrary code as the root user. All the attacker needs to do is send a maliciously crafted HTTP request to the web-based management interface.

Some of the affected devices are also Wi-Fi routers, so could well be in everyday use.

As Cisco explained this week in its advisory for bugs CVE-2021-1289 to CVE-2021-1295 inclusive:

These vulnerabilities exist because HTTP requests are not properly validated. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device.

Cisco Small Business VPN routers RV160, RV160W, RV260, RV260P, and RV260W are vulnerable to exploitation if they are running firmware prior to release That version was made available on January 20, 2021, here, to fix these security holes, which score 9.8 out of 10 in CVSS severity.

The models mentioned above have another two flaws – CVE-2021-1296 and CVE-2021-1297 – that can be abused to “allow an unauthenticated, remote attacker to conduct directory traversal attacks and overwrite certain files that should be restricted on an affected system.” They are detailed here and have a CVSS rating of 7.5/10.

Stop sign in front of a bush. Image via Shutterstock

Cisco warns VMware vCenter bug puts hyperconverged tin in ‘unrecoverable’ state


More products in the RV range also have problems. Models RV016, RV042, RV042G, RV082, RV320, and RV325 have holes – CVE-2021-1319 to CVE-2021-1348 inclusive – that again relate to improper validation of input to the web interface. The bugs explained here are rated a 7.2, and aren't too serious. They can be exploited by an authenticated admin user to crash the device or execute commands on the host OS as root.

The same goes for these bugs – CVE-2021-1314 to CVE-2021-1318 – again related to bad HTTP handling.

Software upgrades are available to fix the issues. RV0XX devices with firmware version or earlier need the fix, as do RV32X devices running and earlier.

Small businesses – especially those without IT staff or contractors – are notoriously bad at managing devices. So it’s likely most of the RV16-and-26-series devices out there have not been updated. With so many people currently relying on VPNs while they work from home, this could get nasty.

Patch, people. Just patch. And tell your friends in small business to check if they’ve deployed these devices. ®

Similar topics

Other stories you might like

  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

    Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

    Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

    Continue reading
  • Google assuring open-source code to secure software supply chains
    Java and Python packages are the first on the list

    Google has a plan — and a new product plus a partnership with developer-focused security shop Snyk — that attempts to make it easier for enterprises to secure their open source software dependencies.

    The new service, announced today at the Google Cloud Security Summit, is called Assured Open Source Software. We're told it will initially focus on some Java and Python packages that Google's own developers prioritize in their workflows. 

    These two programming languages have "particularly high-risk profiles," Google Cloud Cloud VP and GM Sunil Potti said in response to The Register's questions. "Remember Log4j?" Yes, quite vividly.

    Continue reading
  • Rocket Lab is taking NASA's CAPSTONE to the Moon
    Mission to lunar orbit is further than any Photon satellite bus has gone before

    Rocket Lab has taken delivery of NASA's CAPSTONE spacecraft at its New Zealand launch pad ahead of a mission to the Moon.

    It's been quite a journey for CAPSTONE [Cislunar Autonomous Positioning System Technology Operations and Navigation Experiment], which was originally supposed to launch from Rocket Lab's US launchpad at Wallops Island in Virginia.

    The pad, Launch Complex 2, has been completed for a while now. However, delays in certifying Rocket Lab's Autonomous Flight Termination System (AFTS) pushed the move to Launch Complex 1 in Mahia, New Zealand.

    Continue reading

Biting the hand that feeds IT © 1998–2022