• Stephen Parsons

Cisco patch critical vulnerabilities in common VPN routers - Patch ASAP

Cisco patched arbitrary code execution and command execution vulnerabilities ( CVE-2021-1609,CVE-2021-1610 & CVE-2021-1602) in VPN routers


Description Cisco has patched vulnerabilities affecting multiple Small Business VPN routers with US-CERT recommending ‘Patch ASAP’. CVE-2021-1609 and CVE-2021-1610 relate to vulnerabilities identified in the web-based management interfaces tracked and having CVSS score 9.8. These vulnerabilities exists due to insufficient validation of HTTP requests. A successful exploitation of these vulnerabilities can allow the unauthenticated remote attacker to execute arbitrary code on the device or cause the device to reload. Affected Products: RV340 Dual WAN Gigabit VPN Router RV340W Dual WAN Gigabit Wireless-AC VPN Router RV345 Dual WAN Gigabit VPN Router RV345P Dual WAN Gigabit POE VPN Router CVE-2021-1602 is a vulnerability in the web-based management interface of Cisco Small Business VPN Routers which could allow an unauthenticated remote attacker to execute arbitrary commands on affected device. This vulnerability exits due to insufficient user input validation and having CVSS score 8.2. Affected Products: RV160 VPN Routers RV160W Wireless-AC VPN Routers RV260 VPN Routers RV260P VPN Router with PoE RV260W Wireless-AC VPN Routers Recommendation Update all the above listed products to the latest available patches

Reference

  • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-code-execution-9UVJr7k4

  • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv340-cmdinj-rcedos-pY8J3qfy

  • https://www.techradar.com/news/cisco-finally-patches-months-old-vpn-security-flaw

  • https://nvd.nist.gov/vuln/detail/CVE-2021-1610

  • https://nvd.nist.gov/vuln/detail/CVE-2021-1602

  • https://us-cert.cisa.gov/ncas/current-activity/2020/07/15/cisco-releases-security-updates-multiple-products




0 views0 comments