Cisco patched arbitrary code execution and command execution vulnerabilities ( CVE-2021-1609,CVE-2021-1610 & CVE-2021-1602) in VPN routers
Description
Cisco has patched vulnerabilities affecting multiple Small Business VPN routers with US-CERT recommending ‘Patch ASAP’.
CVE-2021-1609 and CVE-2021-1610 relate to vulnerabilities identified in the web-based management interfaces tracked and having CVSS score 9.8. These vulnerabilities exists due to insufficient validation of HTTP requests. A successful exploitation of these vulnerabilities can allow the unauthenticated remote attacker to execute arbitrary code on the device or cause the device to reload.
Affected Products:
RV340 Dual WAN Gigabit VPN Router
RV340W Dual WAN Gigabit Wireless-AC VPN Router
RV345 Dual WAN Gigabit VPN Router
RV345P Dual WAN Gigabit POE VPN Router
CVE-2021-1602 is a vulnerability in the web-based management interface of Cisco Small Business VPN Routers which could allow an unauthenticated remote attacker to execute arbitrary commands on affected device. This vulnerability exits due to insufficient user input validation and having CVSS score 8.2.
Affected Products:
RV160 VPN Routers
RV160W Wireless-AC VPN Routers
RV260 VPN Routers
RV260P VPN Router with PoE
RV260W Wireless-AC VPN Routers
Recommendation
Update all the above listed products to the latest available patches
Reference
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-code-execution-9UVJr7k4
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv340-cmdinj-rcedos-pY8J3qfy
https://www.techradar.com/news/cisco-finally-patches-months-old-vpn-security-flaw
https://nvd.nist.gov/vuln/detail/CVE-2021-1610
https://nvd.nist.gov/vuln/detail/CVE-2021-1602
https://us-cert.cisa.gov/ncas/current-activity/2020/07/15/cisco-releases-security-updates-multiple-products
