Cisco warns of critical remote code execution flaws in these small business VPN routers
Remote attackers can use the bugs to execute code as the root user.
Cisco is warning customers using its small business routers to upgrade the firmware to fix flaws that could give remote attackers root level access to the devices.
The critical flaws affect the Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers. These were the models Cisco recommended customers using unsupported small business routers to move to last month.
Networking
There are several bugs in the web management interface of the routers that remote attackers can use to execute code as the root user. The devices don't properly validate HTTP requests, allowing an attacker to send specially crafted HTTP requests that might exploit the flaw.
Also: Best VPN services in 2021: Safe and fast don't come free
The gear is vulnerable if it is running a firmware release earlier than Release 1.0.01.02, according to Cisco. Affected devices include the RV160 VPN Router, RV160W Wireless-AC VPN Router, RV260 VPN Router, RV260P VPN Router with POE, and RV260W Wireless-AC VPN Router.
There are no workarounds, so customers must upgrade to release 1.0.01.02 or later. It released that version in January. Cisco is tracking the bugs as CVE-2021-1289, CVE-2021-1290, and CVE-2021-1291.
The web interface of the Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers are also vulnerable to remote attacks via a directory traversal issue. Admins need to ensure devices have firmware that is release 1.0.01.02 or later to be protected.
"An attacker could exploit these vulnerabilities by using the web-based management interface to upload a file to a location on an affected device that they should not have access to. A successful exploit could allow the attacker to overwrite files on the file system of the affected device," Cisco warned.
This set of bugs is being tracked as CVE-2021-1296 and CVE-2021-1297.
There are also multiple high-severity flaws in the web interface of the Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers. The bugs are remotely exploitable and can be used to trigger a denial of service.
It's another input validation issue that allows an attacker to send HTTP requests designed to exploit the bugs. Cisco notes that the attacker would need correct administrator credentials to exploit the bugs. Cisco is tracking these as CVE-2021-1319, CVE-2021-1320, and CVE-2021-1321.
The same set of routers are also vulnerable to multiple command injection vulnerabilities that have been tagged with the identifiers CVE-2021-1314, CVE-2021-1315, and CVE-2021-1316.
SEE: How do we stop cyber weapons from getting out of control?
Again, the flaws are due to improper validation of user-supplied input that allow an attacker to send crafted HTTP requests to the devices. These are high severity issues that "could allow the attacker to execute arbitrary code as the root user on the underlying operating system", according to Cisco.
An attacker would need to have valid administrator credentials to exploit the flaws.
Cisco fixed the bugs affecting the RV320 and RV325 Dual Gigabit WAN VPN Routers in firmware release 1.5.1.13.
However, it will not release firmware updates for the Cisco RV016, RV042, RV042G, and RV082 Routers because they have have entered the end-of-life process.
The affected devices are vulnerable if they're running the below firmware releases:
Product | Firmware Release |
RV016 Multi-WAN VPN Routers | 4.2.3.14 and earlier |
RV042 Dual WAN VPN Routers | 4.2.3.14 and earlier |
RV042G Dual Gigabit WAN VPN Routers | 4.2.3.14 and earlier |
RV082 Dual WAN VPN Routers | 4.2.3.14 and earlier |
RV320 Dual Gigabit WAN VPN Routers | 1.5.1.11 and earlier |
RV325 Dual Gigabit WAN VPN Routers | 1.5.1.11 and earlier |