Cisco Systems said it will not fix a critical vulnerability found in three of its SOHO router models. The bug, rated 9.8 in severity out of 10, could allow unauthenticated remote users to hijack targeted equipment and gain elevated privileges within effected systems.
The three Cisco router models (RV110W, RV130, and RV215W) and one VPN firewall device (RV130W) are of varying age and have reached “end of life” and will not be patched, according to Cisco.
The company is advising customers to replace the equipment.
“Cisco has not released and will not release software updates to address the vulnerability described in this advisory. The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process,” the company wrote. The company added no workaround is available either.
Buffer Overflow Bug
In the Cisco Systems Security Advisory posted Wednesday, the networking giant said the flaw is due to improper validation of user-supplied input in the web-based management interface.
“An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system of the affected device,” Cisco wrote.
Workaround mitigation options, such as disabling the web-based management interface, are not available. “The web-based management interface of these devices is available through a local LAN connection, which cannot be disabled, or through the WAN connection if the remote management feature is enabled,” Cisco wrote. “[However by] default, the remote management feature is disabled on these devices,” Cisco wrote.
Past Router Problems
Each of the routers (RV110W, RV130 and RV215W) have had a rocky past. In 2019, hackers exploited a similar critical bug (CVE-2019-1663) after a public proof of concept was made available by researchers with Pen Test Partners.
In its blog post, Pen Test Partners attributed the root cause of 2019 bug to Cisco’s reliance on the use of insecure C programming language, such as strcpy (string copy).
Researcher Treck Zhou, who is credited for finding the 2021 bug, provided no such similar analysis. Unlike the 2019 bug, Cisco said it “is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.”
One More Critical Router Bug
On Wednesday, Cisco also warned of second critical bug, with a severity rating of 9.8, that impacts its Cisco SD-WAN vManage software. Two additional high-severity bugs were also reported impacting the same Cisco SD-WAN vManage software.
“Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or allow an authenticated, local attacker to gain escalated privileges on an affected system,” Cisco wrote.
Each of these bugs (CVE-2021-1137, CVE-2021-1479, CVE-2021-1480) are separate and cannot and do not need to be chained together. “The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability,” Cisco wrote.
The most serious of the bugs (CVE-2021-1479) impacts Cisco’ SD-WAN vManage software. It allows unauthenticated attackers to trigger a buffer overflow attack.
“The vulnerability is due to improper validation of user-supplied input to the vulnerable component. An attacker could exploit this vulnerability by sending a crafted connection request to the vulnerable component that, when processed, could cause a buffer overflow condition. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system with root privileges,” Cisco describes.
Cisco has released patches for vulnerabilities impacting its SD-WAN vManage Software. The other two CVE records (CVE-2021-1137 and CVE-2021-1480) are rated high-severity also have patches available.
“[These] vulnerabilities affect Cisco devices if they are running a vulnerable release of Cisco SD-WAN vManage Software,” Cisco wrote. It added, it was unaware of any known public exploits tied to these three vulnerabilities.
The vulnerability disclosures were part of a larger disclosure of bugs and fixes that totaled 16 flaws ranging from critical, high severity to medium.
Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event.