Cisco has provided fixes for multiple security vulnerabilities varying from medium to critical severity, which an unauthenticated attacker could exploit. Cisco Small Business RV340, RV340W, RV345, RV345P Dual WAN Gigabit, RV160, RV160W, RV260, RV260P, and RV260W VPN routers have multiple vulnerabilities in the web-based management interface. Cisco also released a patch for a Firepower Device Manager (FDM) On-Box software vulnerability which resides in the REST API of the FDM. Both vulnerabilities have not been exploited in the wild and updates for patches were released.
Technical Detail & Additional Information
WHAT IS THE THREAT?
These Cisco Small Business VPN vulnerabilities both affect the web-based management interface. CVE-2021-1609 creates an opening for threat actors by not properly validating HTTP creating room for an attacker to create a HTTP request that can potentially allow unauthorized access. CVE-2021-1602, the other vulnerability affecting the management interface, exists because of insufficient user input validation that can potentially allow the threat actor to perform a remote code execution and gain root level access. As for the REST API of the FDM On-Box Software vulnerability, it exists due to the lack of proper sanitization of the user input on commands for REST API. This vulnerability, if exploited, can allow the threat actor to execute arbitrary code on the affected operating system.
WHY IS IT NOTEWORTHY?
These vulnerabilities exist on multiple versions of VPN routers as well as a Cisco firewall manager (REST API). The REST API vulnerability impacts FDM versions 6.3.0, 6.4.0, 6.5.0, 6.6.0, and 6.7.0; with a CVSS score of 6.3 which is generally considered to be a medium in severity. The web-based management remote code execution vulnerability has a high severity with a CVSS of 8.2. The CVE-2021-1609 vulnerability that potentially allows threat actors to execute arbitrary code or commands and cause a DoS attack has a score of 9.8 making this severity quite critical.
WHAT IS THE EXPOSURE OR RISK?
Leaving the vulnerabilities that affect Cisco unpatched could lead to a significant security incident. Given that some of these vulnerabilities can gain root level access the data is vulnerable to deletion, change and potentially held for ransom. Cisco VPN users as well as firewall administrators are at great risk for a compromise if negligent.
WHAT ARE THE RECOMMENDATIONS?
Cisco has expressed there are no current workarounds for these vulnerabilities however updates have been released.
- Updating Cisco immediately to patch these vulnerabilities.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.