Cisco Patches Critical and High Severity RCE Vulnerabilities in VPN Routers

Cisco has released updates addressing 3 pre-auth security vulnerabilities affecting VPN routers.

The vulnerabilities are remotely exploitable without requiring authentication and allow attackers to remotely execute commands and arbitrary code or to trigger a denial-of-service on vulnerable devices.

 The Vulnerabilities

A vulnerability in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device or cause the device to reload, resulting in a denial of service (DoS) condition.

A vulnerability in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary commands with root privileges on an affected device.

A vulnerability in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device.

Affected Products

  • RV340 Dual WAN Gigabit VPN Router (fixed in firmware releases 1.0.03.22 and later)
  • RV340W Dual WAN Gigabit Wireless-AC VPN Router (fixed in firmware releases 1.0.03.22 and later)
  • RV345 Dual WAN Gigabit VPN Router (fixed in firmware releases 1.0.03.22 and later)
  • RV345P Dual WAN Gigabit POE VPN Router (fixed in firmware releases 1.0.03.22 and later)
  • RV160 VPN Routers (fixed in firmware releases 1.0.01.04 and later)
  • RV160W Wireless-AC VPN Routers (fixed in firmware releases 1.0.01.04 and later)
  • RV260 VPN Routers (fixed in firmware releases 1.0.01.04 and later)
  • RV260P VPN Router with PoE (fixed in firmware releases 1.0.01.04 and later)
  • RV260W Wireless-AC VPN Routers (fixed in firmware releases 1.0.01.04 and later)

Mitigation

There are no workarounds available, therefore, CYREBRO recommends updating vulnerable devices.

To download the software from the Software Center on Cisco.com, click Browse All and navigate to Downloads Home > Routers > Small Business Routers > Small Business RV Series Routers.

References: Cisco Security Advisories

Sign Up for Updates