Cisco has addressed a clutch of critical vulnerabilities in its small business and VPN routers that can be exploited by an unauthenticated, remote attacker to execute arbitrary code as the root user. All the attacker needs to do is send a maliciously crafted HTTP request to the web-based management interface.
Some of the affected devices are also Wi-Fi routers, so could well be in everyday use.
As Cisco explained this week in its advisory for bugs CVE-2021-1289 to CVE-2021-1295 inclusive:
These vulnerabilities exist because HTTP requests are not properly validated. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device.
Cisco Small Business VPN routers RV160, RV160W, RV260, RV260P, and RV260W are vulnerable to exploitation if they are running firmware prior to release 1.0.01.02. That version was made available on January 20, 2021, here, to fix these security holes, which score 9.8 out of 10 in CVSS severity.
The models mentioned above have another two flaws – CVE-2021-1296 and CVE-2021-1297 – that can be abused to “allow an unauthenticated, remote attacker to conduct directory traversal attacks and overwrite certain files that should be restricted on an affected system.” They are detailed here and have a CVSS rating of 7.5/10.
Cisco warns VMware vCenter bug puts hyperconverged tin in ‘unrecoverable’ stateREAD MORE
More products in the RV range also have problems. Models RV016, RV042, RV042G, RV082, RV320, and RV325 have holes – CVE-2021-1319 to CVE-2021-1348 inclusive – that again relate to improper validation of input to the web interface. The bugs explained here are rated a 7.2, and aren't too serious. They can be exploited by an authenticated admin user to crash the device or execute commands on the host OS as root.
The same goes for these bugs – CVE-2021-1314 to CVE-2021-1318 – again related to bad HTTP handling.
Software upgrades are available to fix the issues. RV0XX devices with firmware version 22.214.171.124 or earlier need the fix, as do RV32X devices running 126.96.36.199 and earlier.
Small businesses – especially those without IT staff or contractors – are notoriously bad at managing devices. So it’s likely most of the RV16-and-26-series devices out there have not been updated. With so many people currently relying on VPNs while they work from home, this could get nasty.
Patch, people. Just patch. And tell your friends in small business to check if they’ve deployed these devices. ®