Cisco says it’s fixed flaw affecting multiple small business VPN routers
Cisco has released patches for two security flaws that impact several of the company’s VPN routers for small businesses.
The two vulnerabilities, tracked as CVE-2021-1609 and CVE-2021-1602, were discovered in the company’s web-based management interface.
While CVE-2021-1609, which exists as a result of improperly validated HTTP requests, impacts Cisco’s RV340, RV350W, RV345 and RV345P Dual WAN Gigabit VPN routers, CVE-2021-1602, which is due to insufficient user input validation, impacts RV160, RV160W, RV260, RV260P and RV260W VPN routers.
TechRadar needs you!
We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.
According to a security advisory from Cisco, CVE-2021-1609 can be exploited by a remote attacker on one of the vulnerable VPN routers to execute arbitrary code or to cause the device to reload resulting in a denial of service (DoS) condition.
In a second security advisory, the networking giant explained that CVE-2021-1602 can be exploited by an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of affected devices.
Remote management disabled by default
Although these two vulnerabilities have CVSS scores of 9.8 and 8.2, launching an attack that exploits them will prove challenging for hackers as the remote management feature is disabled by default on all of the affected VPN routers.
Instead organizations need to use a local LAN connection to access Cisco’s web-based management interface where both security flaws reside. Still though, owners of affected devices can check to see if remote management has been enabled by accessing the web-based management interface, going to “Basic Settings” and seeing if the “Remote Management” option has been toggled on.
While Cisco says that there are no workarounds available to address these vulnerabilities, the company has released software updates to address both security flaws. Additionally the company’s Product Security Incident Response Team (PSIRT) has not observed any exploits or attacks in the wild leveraging these vulnerabilities.
Organizations that own one of the impacted VPN routers can go to Cisco’s Software Center to download the patched firmware for their devices.