Cisco: Patch routers now against massive 9.8/10-severity security hole

Cisco tells businesses to install updates six months after researchers reported a critical security flaw.

Cisco issues networking updates for 13 high-severity holes Cisco has fixes in its September bundle for over a dozen denial-of-service security flaws.

Cisco is warning businesses that use its wireless VPN and firewall routers to install updates immediately due to a critical flaw that remote attackers can exploit to break into a network. 

The vulnerability allows any attacker with any browser to execute code of their choice via the web interface used for managing Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router. 

The networking giant has assigned the bug, tagged as CVE-2019-1663, with a severity score of 9.8 out of a possible 10 under the Common Vulnerability Scoring System (CVSS). 

Cisco's developers failed to ensure the web app properly checks data that users type into the routers' management interface, which could give an attacker control of the operating system. 

"The vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device," Cisco notes in its advisory. 

"A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user."

Customers are exposed to a remote attack if they enabled the remote-management feature on the affected devices. The feature is disabled by default. 

Admins can check whether a device has the remote-management feature enabled by opening the web interface and selecting Basic Settings > Remote Management. 

Cisco did not say the bug has been exploited, however knowledge of its existence has been floating around for six months. The company notes that Chinese security researchers revealed the bug at the GeekPwn Shanghai conference on October 24-25, 2018. 

The researchers did not reveal technical details of the bug. A researcher at US firm Pen Test Partners also supplied details to Cisco.

SEE: 10 tips for new cybersecurity pros (free PDF) 

The bug is fixed in software versions 1.2.2.1 for RV110W Wireless-N VPN Firewall, 1.0.3.45 for RV130W Wireless-N Multifunction VPN Router, and 1.3.1.1 for the RV215W Wireless-N VPN Router. 

Cisco is also investigating which of its products are affected by a serious container bug in runc, the runtime used by Docker and Kubernetes. The bug could allow an attacker to infect a container with malware that compromises the host system. 

It's yet to confirm whether any products are vulnerable, but notes in an updated advisory that it is probing Cisco IOS XE, Cisco UCS B-Series M3 Blade Servers, and Cisco Smart Software Manager Satellite. It's also updating a list of software that it has confirmed is not vulnerable to the container flaw.    

And if you've ever needed to install Cisco's Webex Meetings Desktop App to attend a conference call, it might be worth checking whether it's still installed. If it is, Cisco recommends updating as soon as possible. 

"A vulnerability in the update service of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user," Cisco explains in a security advisory

Previous and related coverage

Cisco's warning: Patch this default Network Assurance Engine password bug

When changing the default admin password doesn't actually change the password at all.

Cisco warns: Patch now or risk your security appliance choking on single rogue email

One bad email could crash your Cisco email security appliance and keep it down as it tries to process the same email over and again.

Cisco discloses arbitrary execution in SD-WAN Solution and Webex

Networking giant reveals 23 security issues hitting products including SD-WAN Solution, Webex, and small business routers.

Cisco updates SD-WAN portfolio with new security features

Among the key updates, Cisco said it's integrating application-aware enterprise firewall, intrusion prevention, and URL filtering into Cisco SD-WAN devices.

Cisco: Linux kernel FragmentSmack bug now affects 88 of our products

Cisco's list of products with a Linux kernel denial-of-service flaw is growing.

Cisco: We've killed another critical hard-coded root password bug, patch urgently

This time a 9.8/10-severity hardcoded password has been found in Cisco's video surveillance software.

Cisco critical flaw warning: These 10/10 severity bugs need patching now

Cisco's software for managing software-defined networks has three critical, remotely exploitable vulnerabilities.

Cisco patches critical Nexus flaws: Are your switches vulnerable?

You'll need to wade through Cisco's advisories to work out if software you're running is vulnerable or already fixed.

Cisco: Update now to fix critical hardcoded password bug, remote code execution flaw

Cisco patches two serious authentication bugs and a Java deserialization flaw.

Cisco warns customers of critical security flaws, advisory includes Apache Struts

The massive security update includes a patch for the recently-disclosed Apache bug -- but not all products will be fixed yet.

Cisco updates ASR 9000 edge routing platform to carry users to 5G, multicloud world TechRepublic

New automation software, a new networking processor, and a new operating system will help Cisco customers make the transition to next-generation networking.

Apple and Cisco pool their might to shield companies from cyber risks CNET

Apple and Cisco join forces to protect businesses from risk of cyber threats.