Cisco releases patch for small business VPN routers

Cisco released a patch for addressing a vulnerability impacting small business VPN routers and allowing arbitrary code execution or Denial of service by remote hackers.

The issues CVE-2021-1609 (CVSS score: 9.8) and CVE-2021-1610 (CVSS score: 7.2), identified by Swing of Chaitin Security Research Lab, exist in Small business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers running firmware releases prior to the  1.0.03.22 version. The identified issues are due to the absence of proper validation of HTTP requests. This allows a threat actor to conveniently send specially-crafted HTTP requests to an exposed device.

Cisco is a market leader in delivering innovative networking, cloud, security solutions, and other high-technology services to businesses.

If the hackers get successful in exploiting the identified issues, much damage can be caused. The exploitation of CVE-2021-1609 could lead to arbitrary code execution or Denial of Service. In the case of CVE-2021-1610, the attacker can remotely execute arbitrary commands with root privileges on an infected device.

Cisco further identified and addressed CVE-2021-1602 (CVSS score: 8.2), a severe remote code execution bug. This was engaged in affecting Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers running firmware versions earlier than 1.0.01.04.

Cisco stated that this vulnerability is the result of inadequate data validation. The exploitation of this could allow a remote attacker to execute arbitrary commands on the OS of an infected device. Cisco stated that no active exploitation of these flaws had been observed in the wild.

In the past also Cisco has made attempts to patch such flaws. In February 2021, it patched 35 flaws to restrict remote attackers from executing arbitrary codes as the root user on an infected device. So CVE-2021-1602 is the second attempt by Cisco to fix RCE flaws related to the same set of VPN appliances.