Risk mitigation involves disabling remote device management

Nov 6, 2014 23:35 GMT  ·  By

Four Cisco routers from the RV series intended for small businesses have been found vulnerable to attacks that could allow execution of arbitrary commands and uploading files to any location on the device.

The affected products are Cisco RV120W Wireless-N VPN Firewall, Cisco RV180 VPN Router, Cisco RV180W Wireless-N Multifunction VPN Router, and Cisco RV220W Wireless Network Security Firewall.

Command injection, CSRF attack and insecure file upload glitches

Cisco issued an advisory on Wednesday detailing a total of three flaws affecting the above mentioned products and released firmware updates for all but one product, RV220W, which is expected to receive a patch by the end of the month.

One of the security glitches detected by the company allows a potential attacker to remotely execute arbitrary commands with the highest privileges (root), by delivering a specially crafted HTTP request to the vulnerable device.

The flaw can be exploited provided that the attacker is authenticated. Identified as CVE-2014-2177, the glitch resides in the network diagnostics administration pages of the routers and emerged because of improper validation of user-supplied input.

Another bug (CVE-2014-2178) enclosed in the latest updates opened the door for a cross-site request forgery (CSRF) attack from a remote, unauthenticated intruder.

User intervention is required for carrying out the compromise, as an authenticated victim has to be tricked to launch a maliciously crafted link, thus allowing the attacker to complete unauthorized actions, with the same privileges as the authenticated user.

The third vulnerability (CVE-2014-2179) plaguing Cisco RV series routers is in the way file uploads are executed, offering the possibility to a remote, unauthenticated individual to place an item anywhere on the device.

According to Securify, the company reporting all three issues to Cisco, a certain cookie handled in an insecure manner allows a potential attacker to set an arbitrary path for the uploaded file, which would overwrite existing items.

Researchers say that this is possible because the cookie value is used as the path name and there is no input validation for it.

Workarounds for reducing risk until permanent fix is applied

Cisco provides firmware update 1.0.4.14 for the RV180 and RV180W devices and 1.0.5.9 for the RV120W.

If these cannot be applied right away, the company offers workaround solutions for eliminating the security risks until the update with a permanent fix can be installed; these settings are valid for RV220W, too.

The measures consist in disabling remote management for the devices, so that an attacker outside the network would not be able to connect to the router and make modifications; however, if management is done through WAN, this action is not required.

This would limit exploitation attempts to users in the LAN and would also prevent Cisco QuickVPN access.

Another option is to restrict remote management permission to certain IP addresses.