Cisco has rolled out fixes for many critical vulnerabilities in the web-based management interface of Smaller Organization routers that could probably let an unauthenticated, remote attacker to execute arbitrary code as the root person on an impacted product.
The flaws — tracked from CVE-2021-1289 by way of CVE-2021-1295 (CVSS score 9.8) — impact RV160, RV160W, RV260, RV260P, and RV260W VPN routers running a firmware release earlier than Release 1..01.02.
Alongside with the aforementioned 3 vulnerabilities, patches have also been released for two more arbitrary file publish flaws (CVE-2021-1296 and CVE-2021-1297) affecting the exact same set of VPN routers that could have produced it doable for an adversary to overwrite arbitrary information on the susceptible program.
All the 9 security issues had been reported to the networking machines maker by security researcher Takeshi Shiomitsu, who has formerly uncovered comparable critical flaws in RV110W, RV130W, and RV215W Routers that could be leveraged for remote code execution (RCE) attacks.
When exact details of the vulnerabilities are nonetheless unclear, Cisco reported the flaws —
- CVE-2021-1289, CVE-2021-1290, CVE-2021-1291, CVE-2021-1292, CVE-2021-1293, CVE-2021-1294, and CVE-2021-1295 are a outcome of poor validation of HTTP requests, enabling an attacker to craft a specially-crafted HTTP request to the web-centered administration interface and reach RCE.
- CVE-2021-1296 and CVE-2021-1297 are because of to inadequate enter validation, permitting an attacker to exploit these flaws using the web-based administration interface to add a file to a location that they should not have entry to.
Independently, a further established of five glitches (CVE-2021-1314 via CVE-2021-1318) in the web-centered management interface of Little Small business RV016, RV042, RV042G, RV082, RV320, and RV325 routers could have granted an attacker the capability to inject arbitrary instructions on the routers that are executed with root privileges.
And lastly, Cisco also dealt with 30 extra vulnerabilities (CVE-2021-1319 through CVE-2021-1348), impacting the very same established of products and solutions, that could make it possible for an authenticated, distant attacker to execute arbitrary code and even result in a denial-of-provider ailment.
“To exploit these vulnerabilities, an attacker would require to have valid administrator credentials on the influenced machine,” Cisco stated in an advisory posted on February 3.
Kai Cheng from the Institute of Info Engineering, which is aspect of the Chinese Academy of Sciences, has been credited with reporting the 35 flaws in the router administration interface.
The enterprise also observed you will find been no proof of energetic exploitation makes an attempt in the wild for any of these flaws, nor are there any workarounds that address the vulnerabilities.
Uncovered this post appealing? Follow THN on Fb, Twitter and LinkedIn to study much more exceptional written content we publish.
Some components of this posting are sourced from: