Vulnerabilities Reported in Cisco VPN Routers

Cisco has rolled out fixes for multiple critical vulnerabilities in the web-based management interface of Small Business routers that could potentially allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device.

Affected CVEs

  1. CVE-2021-1289 through CVE-2021-1295 (CVSS score 9.8) — impact RV160, RV160W, RV260, RV260P, and RV260W VPN routers running a firmware release earlier than Release 0.01.02.
  2. CVE-2021-1296 and CVE-2021-1297affect the same set of VPN routers that could have made it possible for an adversary to overwrite arbitrary files on the vulnerable system.
  3. CVE-2021-1314 through CVE-2021-1318 in web-based interface of small business routers.
  4. CVE-2021-1319 through CVE-2021-1348 impact RV160, RV160W, RV260, RV260P, and RV260W VPN routers.

How the exploitations work

  1. All the nine security issues were reported to the networking equipment maker by security researcher Takeshi Shiomitsu, who has previously uncovered similar critical flaws in RV110W, RV130W, and RV215W . Routers that could be leveraged for remote code execution (RCE) attacks.
  2. CVE-2021-1289, CVE-2021-1290, CVE-2021-1291, CVE-2021-1292, CVE-2021-1293, CVE-2021-1294, and CVE-2021-1295 are a result of improper validation of HTTP requests, allowing an attacker to craft a specially-crafted HTTP request to the web-based management interface and achieve RCE.
  3. CVE-2021-1296 and CVE-2021-1297 are due to insufficient input validation, permitting an attacker to exploit these flaws using the web-based management interface to upload a file to a location that they should not have access to.
  4. Separately, another set of five glitches (CVE-2021-1314 through CVE-2021-1318) in the web-based management interface of Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 routers could have granted an attacker the ability to inject arbitrary commands on the routers that are executed with root privileges.
  5. Cisco also addressed 30 additional vulnerabilities (CVE-2021-1319 through CVE-2021-1348), affecting the same set of products, that could allow an authenticated, remote attacker to execute arbitrary code and even cause a denial-of-service condition.

 Vulnerable Products

These vulnerabilities affect the following Cisco Small Business Routers,  if they are running a firmware earlier than Release 1.0.01.02:

  • RV160 VPN Router
  • RV160W Wireless-AC VPN Router
  • RV260 VPN Router
  • RV260P VPN Router with POE
  • RV260W Wireless-AC VPN Router
  1. Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of the advisory published by Cisco are known to be affected by these vulnerabilities.

Cisco has confirmed that these vulnerabilities do not affect the following Cisco products:

  1. RV340 Dual WAN Gigabit VPN Router
  2. RV340W Dual WAN Gigabit Wireless-AC VPN Router
  3. RV345 Dual WAN Gigabit VPN Router
  4. RV345P Dual WAN Gigabit POE VPN Router

Remediations:

  1. Cisco fixed these vulnerabilities in firmware releases 0.01.02 and later for Cisco RV160, RV160W, RV260, RV260P, and RV260W Routers.
  2. To download the updated fixed software from the Software Center on Cisco.com, do the following:
  3. Click Browse all.
  4. Choose Routers > Small Business Routers > Small Business RV Series Routers.
  5. Choose the appropriate router.
  6. Choose Small Business Router Firmware.
  7. Choose a release from the left pane of the product page.