Cisco has addressed pre-authentication security vulnerabilities that affect multiple small business VPN routers and allow remote attackers to trigger a denial of service condition or run arbitrary code and commands on vulnerable devices.
The two security flaws tracked as CVE-2021-1609 (rated 9.8 / 10) and CVE-2021-1602 (8.2 / 10) were found in web-based management interfaces and exist due to poorly validated HTTP requests and validation Insufficient user input, respectively.
Both errors can be exploited remotely without requiring authentication as part of low complexity attacks that do not require user interaction.
Attackers could exploit the vulnerabilities by sending maliciously crafted HTTP requests to the web-based management interfaces of affected routers.
Remote management disabled on all affected routers
Fortunately, as the company explains, the remote management feature is disabled by default on all affected VPN router models.
“The web-based management interface for these devices is available over local LAN connections by default and cannot be disabled there,” says Cisco.
“The interface can also be made available through the WAN interface by enabling the remote management feature. By default, the remote management feature is disabled on affected devices.”
To find out if remote management is enabled on your devices, you need to open the router’s web-based management interface through a local LAN connection and check if Basic Settings> Remote Management is enabled.
Cisco has released software updates to address these vulnerabilities and says there are no solutions available to eliminate attack vectors.
To download the patched firmware from the Cisco Software Center, you must click Browse All on Cisco.com and navigate to Downloads Home> Routers> Small Business Routers> RV Series Small Business Routers.
Not in wild exploitation
While Cisco says its “Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use” of the two security flaws, attackers in the wild have targeted similar router vulnerabilities in the last.
In August 2020, Cisco warned of actively exploited zero-day bugs (CVE-2020-3566 and CVE-2020-3569) on carrier grade IOS XR routers with multicast routing enabled. The company patched zero days in late September 2020, a month after the initial warning.
A month later, in October 2020, Cisco again warned of attacks actively targeting a separate high-severity vulnerability (CVE-2020-3118) affecting the IOS XR network operating system deployed on the same router models.
On the same day, the US National Security Agency (NSA) also listed CVE-2020-3118 among 25 security vulnerabilities attacked or exploited by Chinese state-sponsored threat actors.
In July 2020, Cisco fixed another actively exploited ASA / FTD firewall bug and a pre-authentication critical remote code execution (RCE) flaw that could lead to full device takeover on vulnerable devices.