Cisco has published patches for critical vulns affecting the web management interface for some of its Small Business Dual WAN Gigabit routers – including a 9.8-rated nasty.
The two vulnerabilities affect the RV340, RV345, RV340W, and RV345P products, which are aimed at SMEs and home office setups. Attackers abusing them on unpatched devices are able to execute arbitrary code and also force reboots of affected routers, causing a denial-of-service condition.
CVE-2021-1609, rated 9.8 on the CVSS v3.1 scale, allows attackers to “remotely execute arbitrary code” thanks to improper validation of HTTP requests, according to Cisco’s advisory.
Similarly, CVE-2021-1610 (advisory also available at the link above) is a command injection vuln allowing attackers to run arbitrary commands as root – again, because “HTTP requests are not properly validated.” This one’s rated at 7.2 on the CVSS v3.1 scale.
Admins running one of the above-named routers are advised get to Cisco’s website, download and install the patches immediately. There are currently no workarounds. Criminal gangs have a nasty habit of rapidly trying to identify and exploit newly patched vulns so the longer the patching is left, the greater the risk.
Satnam Narang, a staff research engineer at infosec biz Tenable, noted that the affected web management interface is enabled by default (and can’t be disabled) over LAN connections into the routers.
He opined: “Based on queries via BinaryEdge, we’ve confirmed there are at least 8,850 remotely accessible devices. While no proof-of-concept exploit for these flaws is presently available, we know historically that attackers favor targeting vulnerabilities in VPN devices like Pulse Secure, Citrix, and Fortinet.”
If all else fails, disabling web admin interface access from non-LAN connections may reduce the risk but won’t eliminate it altogether.
The vulns are broadly similar to ones discovered back in February, affecting Cisco’s RV160 line of small biz VPN routers. Small router security is an increasing problem as inexpensive, old but functional devices come under increased scrutiny. New laws in the UK aim to help tackle the problem, though short of pushing device-bricking updates at end of life, it’s difficult to see how to stop people using an old gadget that still serves its intended purpose.
In other alarming Switchzilla router security news, the US-HQ’d company is offering 5G connectivity baked into ruggedised routers intended for use in cars and off-road vehicles. ®