Critical Cisco Router Flaws That Let Attackers Execute Arbitrary Code

Cisco released critical security patches to address small business VPN Router Bugs. The vulnerabilities tracked as CVE-2021-1609 (CVSS score: 9.8) and CVE-2021-1610 (CVSS score: 7.2) were found in the web-based management interface of the Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers.

These critical flaws let an attacker do the following:

  • Execute arbitrary code
  • Cause denial of service (DoS) condition
  • Execute arbitrary commands

Cisco mentions that these vulnerabilities affect the Cisco Small Business Routers if they are running a firmware release earlier than Release 1.0.03.22.

The critical flaws stem from the lack of proper validation of HTTP requests, therefore allows an attacker to send a specially-crafted HTTP request to a vulnerable device.

Vulnerability Details and Fixed Releases

The vulnerability (CVE-2021-1609) in the web-based management interface could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device or cause the device to reload, resulting in a denial of service (DoS) condition.

The vulnerability (CVE-2021-1610) in the web-based management interface could allow an authenticated, remote attacker to execute arbitrary commands with root privileges on an affected device.

Cisco fixed these vulnerabilities in firmware releases 1.0.03.22 and later.

Cisco also addressed a high-severity remote code execution bug (CVE-2021-1602, CVSS score: 8.2) impacting its Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers.

The advisory states that this could allow a remote attacker to execute arbitrary commands on the underlying operating system of an affected device. Small Business RV Series Routers running firmware versions earlier than 1.0.01.04 are susceptible. This vulnerability is due to insufficient user input validation.

Cisco said "A successful exploit could allow the attacker to execute arbitrary commands on an affected device using root-level privileges. Due to the nature of the vulnerability, only commands without parameters can be executed."

Cisco fixed this vulnerability in firmware releases 1.0.01.04 and later Cisco products.

Cisco advises its customers to ensure that the devices are upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release.

Therefore, it’s the second time Cisco has fixed critical remote code execution flaws concerning the same set of VPN appliances. The company specifies that there’s no evidence of active exploitation attempts in the wild for any of these flaws, neither are there any workarounds that address the vulnerabilities.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.