Critical vulnerability in a Cisco VPN routers allow remote, unauthenticated attackers to take over affected devices

A Cisco security report notes the finding of a critical vulnerability in a small set of small business VPN routers whose exploitation would allow unauthenticated threat actors to take full control of an affected device. According to the report, there are nearly 9 thousand compromised systems exposed online, so the report should be taken seriously.

This flaw was tracked as CVE-2021-1609 and was addressed with Cisco’s latest patch release, covering the following solutions and products:

  • Cisco RV340, RV340W, RV345 & RV345P Dual WAN Gigabit VPN routers
  • Cisco Small Business RV160 & RV260 Series VPN routers
  • Cisco Packet Tracer for Windows
  • Cisco Network Services Orchestrator CLI Secure Shell Server
  • ConfD CLI Secure Shell Server

This patch also addresses other medium-security vulnerabilities.

CVE-2021-1609 affects VPN routers manufactured by Dual Gigabit WAN and exists in the web management interface for affected devices due to incorrect validation of HTTP requests. This flaw received a score of 9.8/10 according to the Common Vulnerability Scoring System (CVSS).

A subsequent analysis of these vulnerabilities indicates that threat actors could abuse these flaws by sending specially crafted HTTP requests, which could lead to arbitrary code execution and the deployment of denial of service (DoS) attacks.

It is worth mentioning that the remote management feature is disabled by default on the affected devices, so there is no possibility of attack with factory configurations. However, thousands of administrators resort to the use of these functions, so the range of attack is considerable.

In addition to this flaw, the report details CVE-2021-1610, a command injection bug that affects the web interface of these devices: “Both flaws exist due to improper validation of HTTP requests and can be exploited remotely; nonetheless, CVE-2021-1610 can only be exploited by an authenticated attacker with root privileges and its successful exploitation would allow gaining arbitrary command privileges on the affected system”

The updates are ready for installation, so users are recommended to deploy the patches as soon as possible, since although no active exploitation attempts have been detected, the appearance of any exploit in the coming days or weeks is not ruled out. If you are unable to upgrade, administrators of affected deployments are encouraged to turn off the remote management feature.   

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.