A high-severity flaw in Cisco’s smart Wi-Fi solution for retailers could allow a remote attacker to alter the password of any account user on affected systems.
The vulnerability is part of a number of patches issued by Cisco addressing 67 high-severity CVEs on Wednesday. This included flaws found in Cisco’s AnyConnect Secure Mobility Client, as well as Cisco RV110W, RV130, RV130W, and RV215W small business routers.
The most serious flaw afflicts Cisco Connected Mobile Experiences (CMX), a software solution that is utilized by retailers to provide business insights or on-site customer experience analytics. The solution uses the Cisco wireless infrastructure to collect a treasure trove of data from the retailer’s Wi-Fi network, including real-time customer-location tracking.
For instance, if a customer connects to the Wi-Fi network of a store that utilizes CMX, retailers can track their locations within the venue, observe their behavior, and deliver special offers or promotions to them-while they’re there.
The vulnerability (CVE-2021-1144) is due to incorrect handling of authorization checks for changing a password. The flaw ranks 8.8 out of 10 on the CVSS vulnerability-severity scale, making it high severity. Of note, to exploit the flaw, an attacker must have an authenticated CMX account – but would not need administrative privileges.
“An authenticated attacker without administrative privileges could exploit this vulnerability by sending a modified HTTP request to an affected device,” said Cisco. “A successful exploit could allow the attacker to alter the passwords of any user on the system, including an administrative user, and then impersonate that user.”
Admins have a variety of privileges, including the ability to use File Transfer Protocol (FTP) commands for backing up and restoring data on Cisco CMX and gaining access to credentials (in order to unlock users who have been locked out of their accounts).
This vulnerability affects Cisco CMX releases 10.6.0, 10.6.1, and 10.6.2; the issue is patched in Cisco CMX releases 10.6.3 and later.
Other High-Severity Flaws
Another high-severity flaw (CVE-2021-1237) exists in the Cisco AnyConnect Secure Mobility Client for Windows. AnyConnect Secure Mobility Client, a modular endpoint software product, provides a wide range of security services (such as remote access, web security features and roaming protection) for endpoints.
The flaw allows attackers – if they are authenticated and local – to perform a dynamic-link library (DLL) injection attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system, Cisco said.
“An attacker could exploit this vulnerability by inserting a configuration file in a specific path in the system which, in turn, causes a malicious DLL file to be loaded when the application starts,” according to Cisco. “A successful exploit could allow the attacker to execute arbitrary code on the affected machine with system privileges.”
Sixty of those CVEs exist in in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W and RV215W routers. These flaws could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.
“An attacker could exploit these vulnerabilities by sending crafted HTTP requests to an affected device,” according to Cisco. “A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a denial-of-service (DoS) condition.”
And, five more CVEs (CVE-2021-1146, CVE-2021-1147, CVE-2021-1148, CVE-2021-1149 and CVE-2021-1150) in the Cisco Small Business RV110W, RV130, RV130W, and RV215W routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges.
Of note, Cisco said it would not release software updates for the Cisco Small Business RV110W, RV130, RV130W and RV215W routers, as they have reached end of life.
“Cisco has not released and will not release software updates to address the vulnerabilities described in this advisory,” according to Cisco. “The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process.”
Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.