Cisco fixes small business routers, kills eavesdropping vulnerability in  conferencing devices - Help Net Security

Cisco addressed critical and high severity pre-auth security vulnerabilities that impact multiple Small Business VPN routers. The two security flaws tracked as CVE-2021-1609 (rated 9.8/10) and CVE-2021-1602 (8.2/10) were found in the web-based management interfaces and exist due to improperly validated HTTP requests and insufficient user input validation, respectively.

CVE-2021-1609 impacts RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN routers, while CVE-2021-1602 affects RV160, RV160W, RV260, RV260P, and RV260W VPN routers.

“This vulnerability exists because HTTP requests are not properly validated. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device or cause the device to reload, resulting in a DOS condition.”

CVE-2021-1609 Advisory

“This vulnerability is due to insufficient user input validation. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface

CVE-2021-1602  Advisory

Both bugs are exploitable remotely without requiring authentication as part of low complexity attacks that don’t require user interaction. Attackers could exploit the vulnerabilities by sending maliciously crafted HTTP requests to the affected routers’ web-based management interfaces.

The web-based management interface for these devices is available through local LAN connections by default and cannot be disabled there. The interface can also be made available through the WAN interface by enabling the remote management feature. By default, the remote management feature is disabled on affected devices.

The IT giant says no workarounds are available to secure the devices, the Product Security Incident Response Team (PSIRT) is not aware of attacks in the wild exploiting the above flaws.