Cisco is warning businesses that use its wireless VPN and firewall routers to install updates immediately due to a critical flaw that remote attackers can exploit to break into a network.
The vulnerability allows any attacker with any browser to execute code of their choice via the web interface used for managing Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router.
The networking giant has assigned the bug, tagged as CVE-2019-1663, with a severity score of 9.8 out of a possible 10 under the Common Vulnerability Scoring System (CVSS).
Cisco's developers failed to ensure the web app properly checks data that users type into the routers' management interface, which could give an attacker control of the operating system.
"The vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device," Cisco notes in its advisory.
"A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user."
Customers are exposed to a remote attack if they enabled the remote-management feature on the affected devices. The feature is disabled by default.
Admins can check whether a device has the remote-management feature enabled by opening the web interface and selecting Basic Settings > Remote Management.
Cisco did not say the bug has been exploited, however knowledge of its existence has been floating around for six months. The company notes that Chinese security researchers revealed the bug at the GeekPwn Shanghai conference on October 24-25, 2018.
The researchers did not reveal technical details of the bug. A researcher at US firm Pen Test Partners also supplied details to Cisco.
SEE: 10 tips for new cybersecurity pros (free PDF)
The bug is fixed in software versions 220.127.116.11 for RV110W Wireless-N VPN Firewall, 18.104.22.168 for RV130W Wireless-N Multifunction VPN Router, and 22.214.171.124 for the RV215W Wireless-N VPN Router.
Cisco is also investigating which of its products are affected by a serious container bug in runc, the runtime used by Docker and Kubernetes. The bug could allow an attacker to infect a container with malware that compromises the host system.
It's yet to confirm whether any products are vulnerable, but notes in an updated advisory that it is probing Cisco IOS XE, Cisco UCS B-Series M3 Blade Servers, and Cisco Smart Software Manager Satellite. It's also updating a list of software that it has confirmed is not vulnerable to the container flaw.
And if you've ever needed to install Cisco's Webex Meetings Desktop App to attend a conference call, it might be worth checking whether it's still installed. If it is, Cisco recommends updating as soon as possible.
"A vulnerability in the update service of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user," Cisco explains in a security advisory.
Previous and related coverage
When changing the default admin password doesn't actually change the password at all.
One bad email could crash your Cisco email security appliance and keep it down as it tries to process the same email over and again.
Networking giant reveals 23 security issues hitting products including SD-WAN Solution, Webex, and small business routers.
Among the key updates, Cisco said it's integrating application-aware enterprise firewall, intrusion prevention, and URL filtering into Cisco SD-WAN devices.
Cisco's list of products with a Linux kernel denial-of-service flaw is growing.
This time a 9.8/10-severity hardcoded password has been found in Cisco's video surveillance software.
Cisco's software for managing software-defined networks has three critical, remotely exploitable vulnerabilities.
You'll need to wade through Cisco's advisories to work out if software you're running is vulnerable or already fixed.
Cisco patches two serious authentication bugs and a Java deserialization flaw.
The massive security update includes a patch for the recently-disclosed Apache bug -- but not all products will be fixed yet.
New automation software, a new networking processor, and a new operating system will help Cisco customers make the transition to next-generation networking.
Apple and Cisco join forces to protect businesses from risk of cyber threats.