Cisco has patched two vulnerabilities in its RV34X series of small business-focused routers that could have been exploited separately or chained together to achieve unauthenticated remote code execution (RCE).
The authentication bypass and system command injection vulnerabilities, both in the RV34X web management interface, would have allowed a remote attacker to execute arbitrary commands or bypass authentication and upload files on an affected device.
Cisco has issued an advisory for the vulnerabilities, which received a CVSS score of 7.3.
Scanning the attack surface
The issues were uncovered by security firm IoT Inspector after an automated analysis uncovered some “promising” potential vulnerabilities, which were later confirmed and explored.
Complexity to exploit the vulnerability is “very low”, Florian Lukavsky, managing director of IoT Inspector, told The Daily Swig.
The first vulnerability – CVE-2021-1473 – could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device.
Insufficient validation of user input meant that an attacker could send malicious requests to an affected device and run arbitrary commands on the underlying operating system.
Meanwhile, a bypass file upload vulnerability, CVE-2021-1472, was caused by improper session management on affected devices.
It could be exploited by sending a crafted HTTP request to the device, and could allow an unauthenticated, remote attacker to bypass authentication and upload files to directories that should require administrative permissions.
This could include the reading of any configuration settings, including users’ password hashes, as well as the ability to change passwords.
Inside the perimeter
“If the attacker can escalate his local privileges, reading or intercepting any traffic routed via the device would be possible too,” according to Lukavsky.
“The impact of the vulnerability mainly depends on the context of the router, environmental parameters, and how exposed the web interface is.
“If the web interface was accessible from a public guest network, for example, the potential impact will be higher than if it was only accessible via a restricted management network.”
The initial disclosure was made on February 2 this year, with Cisco confirming that the issue was valid on 27 February. The advisory was released on 7 April.
“Cisco’s PSIRT [Product Security Incident Response Team] is very well organized and they follow established vulnerability disclosure processes,” says Lukavsky. “We had a very positive and professional experience throughout the disclosure process.”
Currently, says Lukavsky, the issue appears to be confined to the RV34X series of routers.
“However, we did not heavily investigate how many other devices may be affected by this issue,” he says.
“On the other hand, we found additional issues in the same series and other vulnerabilities in other Cisco products, which are still in the fixing process. So stay tuned for more.”
Source: https://portswigger.net/daily-swig/cisco-router-flaws-left-small-business-networks-open-to-abuse