Got an inexpensive Cisco router in your home office? If this is one of them, there is an exposed RCE hole that you need to plug • The damper
Cisco has released fixes for critical vulnerabilities affecting the web-based management interface for some of its Small Business Dual WAN Gigabit routers, including a nasty 9.8.
Both vulnerabilities affect the RV340, RV345, RV340W, and RV345P products, which are intended for SMBs and home offices. Attackers who abuse it on unpatched devices are able to execute an arbitrary code and force restart the affected routers, causing a denial of service condition.
CVE-2021-1609, rated 9.8 on the CVSS v3.1 scale, allows attackers to “remotely execute arbitrary code” through incorrect validation of HTTP requests, according to Cisco.
Likewise, CVE-2021-1610 (notice also available at the link above) is a command injection vulnerability that allows attackers to run arbitrary commands as root – again, because “HTTP requests are not properly validated “. This is rated at 7.2 on the CVSS v3.1 scale.
Administrators running any of the routers mentioned above are advised to go to the Cisco website, download and install the patches immediately. There is currently no workaround. Criminal gangs have a bad habit of quickly trying to identify and exploit newly patched vulnerabilities. So the longer the patch, the greater the risk.
Satnam Narang, research engineer at infosec biz Tenable, noted that the affected web management interface is enabled by default (and cannot be disabled) through LAN connections in routers.
He said: “Based on queries through BinaryEdge, we have confirmed that there are at least 8,850 remotely accessible devices. Pulse Secure, Citrix and Fortinet. “
If all else fails, disabling access to the web administration interface from non-LAN connections may reduce the risk but will not eliminate it completely.
The vulnerabilities are broadly similar to those discovered in February, affecting the Cisco RV160 series of small business VPN routers. The security of small routers is a growing concern as inexpensive, old but functional devices come under increased scrutiny. New laws in the UK aim to help fix the problem, although unless you push for updates to end-of-life devices, it’s hard to see how to prevent people from using an old gadget that is in use. always at its destination.
In other alarming switchzilla router security news, the US-based company offers 5G connectivity built into ruggedized routers for use in cars and off-road vehicles. ®