Cisco Fixes High Severity RCE Flaw on Two Small Business VPN Routers
Last updated September 25, 2021
Cisco has fixed a respectable number of severe remote code execution (RCE) flaws that affect various models of its small business VPN routers line. Many of the identified and fixed flaws are of a high impact, and a couple are critical vulnerabilities that can cause serious trouble. For more details on what is what, check out this advisory by Cisco.
The products that are affected are the following:
Most notably, these are vulnerable to CVE-2021-1289, CVE-2021-1290, CVE-2021-1291, CVE-2021-1292, CVE-2021-1293, CVE-2021-1294, CVE-2021-1295, which are high-severity flaws concerning firmware versions earlier than 1.0.01.02. Cisco received a tip about the vulnerabilities from researchers at Trend Micro’s Zero Day initiative, the Chaitin Security Research Lab, and the 1AQ Team.
The flaws reside in the web-based management interface of the products, enabling an unauthenticated actor to execute code remotely as root. The consequences of this would be terrible, so users of the aforementioned products are urged to apply the firmware update immediately. Also, there are no workarounds, so if you can’t perform the upgrade now, you may want to take more drastic precautions.
The products that are not affected and whose owners are not in an urgent situation to do anything are the following:
As for whether the vulnerabilities were under active exploitation, Cisco’s Product Security Incident Response Team states that they are not aware of any announcements or other signs of malicious exploitation of these flaws. Thus, it’s likely that the researchers were the first to figure them out.
To download the latest firmware for the affected products, go to the Software Center, click on Browse All, choose Routers > Small Business Routers > Small Business RV Series Routers, pick your VPN router model, select Small Business Router Firmware, and download the corresponding release. If you did it right, you should end up getting version 1.0.01.02 or later.