Cisco announced that it has fixed pre-authentication security vulnerabilities that affect many small business VPN routers and allow hackers to remotely trigger a denial of service (DoS) condition or execute arbitrary commands and code on vulnerable devices.
The two security flaws, tracked as CVE-2021-1609 (rated 9.8/10 in the Common Vulnerability Scoring System – CVSS) and CVE-2021-1602 (8.2 /10 in CVSS), were found in the interfaces based management tools and exist due to incorrectly validated HTTP requests and insufficient user input validation, respectively.
CVE-2021-1609 affects RV340, RV340W, RV345 and RV345P Dual WAN Gigabit VPN routers, while CVE-2021-1602 affects RV160, RV160W, RV260, RV260P and RV260W VPN routers.
Both bugs can be exploited remotely without requiring authentication as part of low-complexity attacks that require no user interaction. Attackers could exploit the vulnerabilities by sending maliciously crafted HTTP requests to the affected routers’ web-based management interfaces.
Remote management disabled
Fortunately, as the company explains, the remote management feature is disabled by default on all affected VPN router models. “The web-based management interface for these devices is available through local LAN connections by default and cannot be disabled there,” says Cisco.
Also according to the company, the interface can also be made available through the WAN interface, enabling the remote management feature. By default, the remote management feature is disabled on affected devices.
To find out if remote management is enabled on their devices, the user should open the router’s web-based management interface through a local LAN connection and check if the “Basic Settings > Remote” Management option is enabled.
Cisco has released software updates to address these vulnerabilities and says there are no workarounds available to remove the attack vectors. To download the corrected firmware from Cisco Software Center, the user must click “Browse All” on Cisco.com and navigate to “Home Downloads > Routers > Small Business Routers > Small Business RV Series Routers”.
wild exploration
While Cisco says its Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the two security holes, similar router vulnerabilities have been used in the past by attackers.
In August 2020, Cisco warned of actively exploited zero-day bugs (CVE-2020-3566 and CVE-2020-3569) on carrier-grade IOS XR routers with multicast routing enabled. The company corrected day zero at the end of September of that year, one month after the initial notice.
A month later, in October, Cisco again warned of attacks that actively target a separate high-severity vulnerability (CVE-2020-3118), affecting the IOS XR Network OS deployed on the same router models.
On the same day, the US National Security Agency (NSA) also included CVE-2020-3118 among 25 security vulnerabilities targeted or exploited by threat operators allegedly sponsored by the Chinese government.
In July of last year, Cisco also fixed another actively exploited ASA/FTD firewall bug and a critical pre-authentication remote code execution (RCE) flaw that could lead to complete device control on vulnerable devices.
Source: CisoAdvisor
