Network equipment giant Cisco has rolled out a patch to address a critical vulnerability affecting its small business VPN routers that could be abused by remote attackers to execute arbitrary code or even cause a denial of service (DoS) condition.
Issues tracked as CVE-2021-1609 (CVSS Score: 9.8) and CVE-2021-1610 (CVSS Score: 7.2) exist on WANs for Small Business RV340, RV340W, RV345 and RV345P Dual running firmware versions prior to version 1.0.03.22 Gigabit VPN router. Both of these problems stem from a lack of proper authentication of HTTP requests, allowing criminals to send specially crafted HTTP requests to vulnerable devices.
Successful exploitation of CVE-2021-1609 could allow an unauthenticated remote attacker to execute arbitrary code on the device or cause the device to reload, resulting in a DoS condition. CVE-2021-1610, concerns a command injection vulnerability that, if exploited, could allow an authenticated adversary to remotely execute arbitrary commands with root privileges on an affected device, the company noted in its advisory.
Cisco also addressed a high-severity remote code execution bug (CVE-2021-1602, CVSS Score: 8.2) affecting small business RV160, RV160W, RV260, RV260P, and RV260W VPN routers that could be exploited by unauthenticated remote attackers The vulnerability executes arbitrary commands on the underlying operating system of the affected device. Small business RV series routers running firmware versions earlier than 1.0.01.04 are vulnerable.
“This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface,” Cisco said. “A successful exploit could allow an attacker to execute arbitrary commands on the affected device with root-level privileges. Due to the nature of the vulnerability, only commands without parameters can be executed.”
The company noted that there is no evidence of active exploitation attempts for any of these flaws, nor any workarounds to address the vulnerabilities.
CVE-2021-1602 marks the second time Cisco has fixed a critical remote code execution flaw related to the same set of VPN appliances. In early February, the company patched 35 vulnerabilities that could allow an unauthenticated remote attacker to execute arbitrary code on an affected device as root.