A critical security vulnerability in a subset of Cisco Systems’ small-business VPN routers could let a remote, unauthenticated attacker to take-over a device & researchers stated there are at least 8,800 vulnerable systems open to compromise.
Cisco addressed the bugs (CVE-2021-1609) as part of a group of patches rolled out this week. The fixes & affected products are as follows:
- Cisco RV340, RV340W, RV345, & RV345P Dual WAN Gigabit VPN Routers Web Management Vulnerabilities (advisory)
- Cisco Small Business RV160 & RV260 Series VPN Routers Remote Command Execution Vulnerability (advisory)
- Cisco Packet Tracer for Windows DLL Injection Vulnerability (advisory)
- Cisco Network Services Orchestrator CLI Secure Shell Server Privilege Escalation Vulnerability (advisory)
- ConfD CLI Secure Shell Server Privilege Escalation Vulnerability (advisory)
Critical RCE Security Bug
The critical bug affects the vendor’s Dual WAN Gigabit VPN routers. Explains the advisory, CVE-2021-1609 exists in the web management interface for the devices & carries a CVSSv3 vulnerability-severity score of 9.8. It arises due to improper validation of HTTP requests.
According to a last Thurs. analysis from Tenable, a remote, unauthenticated attacker could thus exploit the vulnerability by sending a specially crafted HTTP request to a vulnerable device, “resulting in arbitrary code-execution as well as the ability to reload the device, resulting in a denial of service (DoS).”
Remote Management
Remote management of these devices is disabled by default according to Cisco, which would thwart such attacks. However, researchers at Tenable found that more than 8,800 devices are publicly accessible & vulnerable to exploit.
Meanwhile, a 2nd bug affecting the same devices, CVE-2021-1610, is a high-rated command-injection vulnerability in the same web management interface.
Improper Validation
“While both flaws exist due to improper validation of HTTP requests & can be exploited by sending specially crafted HTTP requests, CVE-2021-1610 can only be exploited by an authenticated attacker with root privileges,” according to Tenable.
“Successful exploitation would grant an attacker the ability to gain arbitrary command execution on the vulnerable device’s operating system.”
The web management interface for its small business VPN routers is available by default through local area network connections & can’t be disabled, Cisco noted, adding that that some versions of the router software may only be affected by one of the 2 vulnerabilities.
In-the-Wild
Though no in-the-wild exploitation has been seen thus far, Tenable warned that this is likely to change.
“In Jan. 2019, Cisco published advisories for 2 different vulnerabilities in its RV320 & RV325 WAN VPN routers,” according to the analysis.
“A few days after the advisories were published, proof-of-concept exploit scripts for these flaws were published, which was followed by active scanning for vulnerable devices. Because of this historical precedent, we believe it is important that organisations patch these latest vulnerabilities as soon as possible.”
If patching isn’t possible, users should make sure that remote web management is disabled, the firm added.
High-Severity Cisco Security Bugs
Cisco also addressed several high-severity bugs, with severity ratings ranging between 8.8 & 7.8 on the CVSSv3 scale.
The bug tracked as CVE-2021-1602 exists in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, & RV260W VPN Routers – if exploited, it could allow an unauthenticated, remote attacker to execute arbitrary commands using root-level privileges, on the underlying operating system.
Like the Gigabit VPN router issues, the vulnerability is due to insufficient user input validation, & an attacker could exploit it by sending a crafted request to the web-based management interface. However, a factor is that only commands without parameters can be executed, according to Cisco.
Cisco Packet Tracer
Meanwhile, a vulnerability in Cisco Packet Tracer for Windows (CVE-2021-1593) could allow an authenticated, local attacker to perform a DLL injection attack on an affected device. An attacker must have valid credentials on the Windows system in order to be successful, according to the advisory.
“This vulnerability is due to incorrect handling of directory paths at run time,” Cisco explained.
“An attacker could exploit this vulnerability by inserting a configuration file in a specific path on the system, which can cause a malicious DLL file to be loaded when the application starts.
Arbitrary Code
A successful exploit could allow an attacker with normal user privileges to execute arbitrary code on the affected system with the privileges of another user’s account.”
The last high-severity security issue is tracked as CVE-2021-1572, & it affects both the Cisco Network Services Orchestrator (NSO) & ConfD options for the CLI Secure Shell (SSH) Server.
Privilege-Escalation
It’s a privilege-escalation bug that could allow an authenticated, local attacker to execute ‘arbitrary commands’ at the level of the account under which the service is running, which is commonly root.
To use the vulnerability, an attacker must have a valid account on an affected device.
“The vulnerability exists because the affected software incorrectly runs the SFTP user service at the privilege level of the account that was running when the built-in SSH server for CLI was enabled,” according to Cisco
SFTP Interface
“An attacker with low-level privileges could exploit this vulnerability by authenticating to an affected device & issuing a series of commands at the SFTP interface.”
Any user who can authenticate to the built-in SSH server could exploit the bug, the vendor cautioned.
Since Cisco bugs are popular with cyber-attackers, users should now update to the latest versions of the affected products (patches are available via above links ).
https://www.cybernewsgroup.co.uk/virtual-conference-september-2021/