Critical Cisco Flaws Open VPN Routers Up to RCE Attacks

Cisco is rolling out fixes for critical holes in its lineup of small-business VPN routers. The flaws could be exploited by unauthenticated, remote attackers to view or tamper with data, and perform other unauthorized actions on the routers.

The flaws exist in the web-based management interface of Cisco’s small-business lineup of VPN routers. That includes its RV160, RV160W, RV260, RV260P, and RV260W models.

VPN routers have virtual private network functionality built directly into them; that means they have firmware that can handle VPN connections in order to establish a secure connection at the hardware level. These specific router models, which range in price from $150 to $250, are purpose-built for small- and medium-sized businesses and are touted as being ideal for remote offices.

“Cisco has released software updates that address these vulnerabilities,” according to Cisco on Wednesday. “There are no workarounds that address these vulnerabilities.”

Overall, the issue has been assigned seven CVEs (CVE-2021-1289, CVE-2021-1290, CVE-2021-1291, CVE-2021-1292, CVE-2021-1293, CVE-2021-1294, CVE-2021-1295). Cisco did not detail each CVE but did say that the CVEs have a base CVSS score of 9.8 out of 10 (making them critical in severity).

The flaws exist because HTTP requests are not properly validated in the management interface, according to Cisco. An attacker could exploit the vulnerabilities, merely by sending a specially crafted HTTP request to the management interface of one of the affected router models. From there, they would be able to execute arbitrary code as a root user, Cisco said.

The flaws affect the small business routers running a firmware release earlier than Release 1.0.01.02 – a fix has been rolled out as part of this release. Cisco has outlined further instructions on its security advisory for how to apply the update.

On Wednesday, Cisco also warned of two high-severity flaws (CVE-2021-1296 and CVE-2021-1297) across this same set of small-business VPN routers. The flaws could allow unauthenticated, remote attackers to launch directory traversal attacks and overwrite certain files that should be restricted on affected systems. Directory traversal attacks are typically launched against devices with insufficient security validation, in order to access files and directories that are stored outside the web root folder.

“These vulnerabilities are due to insufficient input validation,” said Cisco. “An attacker could exploit these vulnerabilities by using the web-based management interface to upload a file to location on an affected device that they should not have access to.”

These flaws are also fixed by firmware Release 1.0.01.02; The networking giant said that it’s not aware of any exploits in the wild of the critical flaws for any of these flaws.

High-Severity Flaws

Cisco on Wednesday pushed out a flurry of patches addressing high-severity vulnerabilities beyond its VPN small-business routers. Two Cisco product families are affected by these flaws.

One affected product is Cisco’s small business RV series routers – specifically, the RV016, RV042, RV042G, RV082, RV320, and RV325 models. Cisco warned of issues in these routers (tied to 30 CVEs) that could allow authenticated, remote attackers to execute arbitrary code or cause them to restart unexpectedly. The flaws, which stem from an improper validation of user-supplied input into the routers’ web-based interface, could be exploited by an attacker by sending crafted HTTP requests to affected devices.

“A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a denial-of-service (DoS) condition,” said Cisco.

Another set of glitches (tied to five CVEs) could also give an attacker the ability to inject arbitrary commands on the routers that are executed with root privileges. However, an attacker would first need administrative credentials, making this attack more complex to carry out.

Finally, Cisco patched various high-severity flaws affecting its IOS XR software, a train of Cisco Systems’ widely deployed Internetworking Operating System (IOS). The most serious of these flaws could allow an unauthenticated, remote attacker to trigger a denial-of-service (DoS) condition on affected devices in order to cripple them.

Since the beginning of the year, Cisco has patched various vulnerabilities across its product lineup, including multiple, critical vulnerabilities in its software-defined networking for wide-area networks (SD-WAN) solutions for business users, and a high-severity flaw in its smart Wi-Fi solution for retailers that could allow a remote attacker to alter the password of any account user on affected systems.

Download our exclusive FREE Threatpost Insider eBook, Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!