Cisco patches serious vulnerabilities in small business RV Series routers

The flaws allow attackers to execute commands, overwrite files and launch CSRF attacks

Cisco Systems released patches for its small business RV Series routers and firewalls to address vulnerabilities that could allow attackers to execute arbitrary commands and overwrite files on the vulnerable devices.

The affected products are Cisco RV120W Wireless-N VPN Firewall, Cisco RV180 VPN Router, Cisco RV180W Wireless-N Multifunction VPN Router, and Cisco RV220W Wireless Network Security Firewall. However, firmware updates have been released only for the first three models, while the fixes for Cisco RV220W are expected later this month.

One of the patched flaws allows an attacker to execute arbitrary commands as root -- the highest privileged account -- through the network diagnostics page in a device's Web-based administration interface. The flaw stems from improper input validation in a form field that's supposed to only allow the PING command. Its exploitation requires an authenticated session to the router interface.

A second vulnerability allows attackers to execute cross-site request forgery (CSRF) attacks against users who are already authenticated on the devices. Attackers can piggyback on their authenticated browser sessions to perform unauthorized actions if they can trick those users to click on specially crafted links.

This vulnerability also provides a way to remotely exploit the first flaw. Researchers from Dutch security firm Securify, who found both issues, published a proof-of-concept URL that leverages the CSRF flaw to inject a command through the first vulnerability that adds a rogue administrator account on the targeted device.

A third security flaw that was patched by Cisco allows an unauthenticated attacker to upload files to arbitrary locations on a vulnerable device using root privileges. Existing files will be overwritten, the Securify researchers said.

Cisco released firmware versions 1.0.4.14 for the RV180 and RV180W models and firmware version 1.0.5.9 for the RV120W.

Users can limit the exposure of their devices to these flaws by not allowing remote access from the Internet to their administrative interfaces. If remote management is required, the Web Access configuration screen on the devices can be used to restrict access only to specific IP addresses, Cisco said in its advisory.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags patchesCisco SystemsSecurifysecuritypatch managementExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?