Cisco has alerted users of vulnerabilities in the web interface of its RV series of wireless VPN firewalls and routers that allow for remote code execution.
The networking giant, however, isn’t planning on releasing firmware updates until the third quarter, Cisco said. Cisco says it is not aware of public attacks against these vulnerabilities, but users will remain exposed until at least September; workarounds are not available either.
“The vulnerability is due to insufficient sanitization of HTTP user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request with custom user data,” Cisco said in its advisory. “An exploit could allow the attacker to execute arbitrary code with root-level privileges on the affected system, which could be leveraged to conduct further attacks.”
Cisco said the RV110W Wireless-N VPN Firewall, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router are affected.
“The web-based management interface is available for these devices via a local LAN connection or the remote management feature,” Cisco said. “By default, the remote management feature is disabled for the affected devices.”
The remote code execution bugs received the highest criticality rating from Cisco, which also warned of cross-site scripting and buffer overflow vulnerabilities in the same product lines. These flaws are also expected to be patched in the same third-quarter firmware update.
The same web-based management interface is vulnerable to cross-site scripting attacks.
“The vulnerability is due to improper input validation of certain parameters that are sent to an affected device via the HTTP GET or HTTP POST method. An unauthenticated, remote attacker could exploit this vulnerability by persuading a user to follow a link that is designed to submit malicious input to an affected device,” Cisco said in its advisory. “A successful exploit could allow the attacker to execute arbitrary script in the context of the web-based management interface for the device or allow the attacker to access sensitive browser-based information.”
The buffer overflow vulnerabilities can also be exploited via the management interface, Cisco said. The interface lacks input sanitization on fields in HTTP requests.
“An attacker could exploit this vulnerability by sending an HTTP request that contains configuration commands with a crafted payload,” Cisco said. “A successful exploit could allow the attacker to cause a buffer overflow on the targeted system, which could cause the device to reload unexpectedly and result in a DoS condition.”