Cisco says it will not patch 3 small business router models & 1 VPN firewall device with critical vulnerabilities.
Cisco Systems has explained it will not fix a critical vulnerability found in 3 of its SOHO router models. The bug, rated 9.8 in severity out of 10, could allow unauthenticated remote users to hijack targeted equipment & gain elevated privileges within effected systems.
Router Models
The 3 Cisco router models (RV110W, RV130, & RV215W) & 1 VPN firewall device (RV130W) are of varying age & have reached “end of life” & will not be patched, according to Cisco.
The company is advising customers to replace the equipment.
“Cisco has not released & will not release software updates to address the vulnerability described in this advisory. The Cisco Small Business RV110W, RV130, RV130W, & RV215W Routers have entered the end-of-life process,” the company wrote. The company added no workaround is available either.
Overflow Bug
In the Cisco Systems Security Advisory posted Wed., the networking giant said the flaw is due to improper validation of user-supplied input in the web-based management interface.
“An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system of the affected device,” Cisco wrote.
Mitigation Options
Workaround mitigation options, such as disabling the web-based management interface, are not available.
“The web-based management interface of these devices is available through a local LAN connection, which cannot be disabled, or through the WAN connection if the remote management feature is enabled,” Cisco wrote. “However, by default, the remote management feature is disabled on these devices,” Cisco outlined.
Past Router Problems
Each of the routers (RV110W, RV130 & RV215W) have had a rocky past. In 2019, hackers exploited a similar critical bug (CVE-2019-1663) after a public proof of concept was made available by researchers with Pen Test Partners.
Pen Test Partners attributed the root cause of 2019 bug to Cisco’s reliance on the use of insecure C programming language, such as strcpy (string copy).
Researcher Treck Zhou, who is credited for finding the 2021 bug, provided no such similar analysis. Unlike the 2019 bug, Cisco said it “is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.”
Critical Router Bug
On Wed., Cisco also warned of 2nd critical bug, with a severity rating of 9.8, that impacts its Cisco SD-WAN vManage software. 2 additional high-severity bugs were also reported impacting the same Cisco SD-WAN vManage software.
“Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or allow an authenticated, local attacker to gain escalated privileges on an affected system,” Cisco wrote.
Each of these bugs (CVE-2021-1137, CVE-2021-1479, CVE-2021-1480) are separate & cannot & do not need to be chained together. “The vulnerabilities are not dependent on 1 another. Exploitation of 1 of the vulnerabilities is not required to exploit another vulnerability,” Cisco wrote.
SD-WAN
The most serious of the bugs (CVE-2021-1479) impacts Cisco’ SD-WAN vManage software. It allows unauthenticated attackers to trigger a buffer overflow attack.
“The vulnerability is due to improper validation of user-supplied input to the vulnerable component. An attacker could exploit this vulnerability by sending a crafted connection request to the vulnerable component that, when processed, could cause a buffer overflow condition. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system with root privileges,” Cisco describes.
Larger Disclosure of Bugs & Fixes
Cisco has released patches for vulnerabilities impacting its SD-WAN vManage Software. The other 2 CVE records (CVE-2021-1137 & CVE-2021-1480) are rated high-severity also have patches available.
“These vulnerabilities affect Cisco devices if they are running a vulnerable release of Cisco SD-WAN vManage Software,” Cisco wrote. It added, it was unaware of any known public exploits tied to these 3 vulnerabilities.
The vulnerability disclosures were part of a larger disclosure of bugs & fixes that totalled 16 flaws ranging from critical, high severity to medium.
https://www.cybernewsgroup.co.uk/virtual-conference-may-2021/