Cisco Patches Router Vulnerabilities

Tuesday, November 11, 2014 @ 03:11 PM gHale


Four Cisco routers from the RV series intended for small businesses are vulnerable to attacks that could allow an attacker to execute arbitrary commands and upload files to any location on the device.

The affected products are Cisco RV120W Wireless-N VPN Firewall, Cisco RV180 VPN Router, Cisco RV180W Wireless-N Multifunction VPN Router, and Cisco RV220W Wireless Network Security Firewall.

RELATED STORIES
Cisco Fixes Security Appliance Hole
Networking Devices Vulnerable to Attack
Cisco Working to Fix POODLE Vulnerabilities
Apple Releases Security Patch

Cisco issued an advisory last week detailing three flaws and released firmware updates for all but one product, RV220W, which should receive a patch by the end of the month.

One of the security glitches detected by the company allows a potential attacker to remotely execute arbitrary commands with the highest privileges (root), by delivering a specially crafted HTTP request to the vulnerable device.

The flaw can end up exploited with the understanding the attacker has authentication. Identified as CVE-2014-2177, the glitch resides in the network diagnostics administration pages of the routers and emerged because of improper validation of user-supplied input.

Another bug (CVE-2014-2178) enclosed in the latest updates opened the door for a cross-site request forgery (CSRF) attack from a remote, unauthenticated intruder.

User intervention would be necessary to carry out the compromise, as an authenticated victim has to end up launching a maliciously crafted link, thus allowing the attacker to complete unauthorized actions, with the same privileges as the authenticated user.

The third vulnerability (CVE-2014-2179) plaguing Cisco RV series routers is in the way file uploads end up executed, offering the possibility to a remote, unauthenticated individual to place an item anywhere on the device.

According to Securify, the company reporting all three issues to Cisco, a certain cookie handled in an insecure manner allows a potential attacker to set an arbitrary path for the uploaded file, which would overwrite existing items.

Researchers said this is possible because the cookie value ends up used as the path name and there is no input validation for it.

Cisco provides firmware update 1.0.4.14 for the RV180 and RV180W devices and 1.0.5.9 for the RV120W.

If the user cannot apply the fixes immediately, the company offers workaround solutions for eliminating the security risks until the update with a permanent fix can end up installed; these settings are also valid for RV220W.

The measures consist in disabling remote management for the devices, so an attacker outside the network would not be able to connect to the router and make modifications; however, if management occurs through a WAN, the user does not need to do the action.



Leave a Reply

You must be logged in to post a comment.