Cisco is working on developing patches for several vulnerabilities affecting its RV series routers, including a critical flaw that can be exploited by a remote attacker for arbitrary code execution.
The security holes, reported to Cisco by researcher Samuel Huntley, affect the RV110W Wireless-N VPN firewall, the RV130W Wireless-N Multifunction VPN router, and the RV215W Wireless-N VPN router.
The critical vulnerability, identified as CVE-2016-1395, is caused by insufficient sanitization of HTTP user input in the device’s web interface. It allows a remote, unauthenticated attacker to execute arbitrary code with root privileges on the targeted system.
“An attacker could exploit this vulnerability by sending a crafted HTTP request with custom user data,” Cisco said in its advisory. “An exploit could allow the attacker to execute arbitrary code with root-level privileges on the affected system, which could be leveraged to conduct further attacks.”
Another issue found in the web-based management interface of Cisco’s RV series routers is a cross-site scripting (XSS) vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code or access sensitive browser information. An attacker needs to convince the victim to access a specially crafted link in order to exploit the vulnerability (CVE-2016-1396).
Huntley also discovered a couple of denial-of-service (DoS) vulnerabilities in the web interface of Cisco RV110W, RV130W and RV215W routers. The flaws, tracked as CVE-2016-1398 and CVE-2016-1397, are buffer overflows that allow an authenticated attacker to cause the devices to reload and enter a DoS condition by sending them specially crafted HTTP requests. The XSS and DoS flaws have been rated “medium severity.”
None of these vulnerabilities have been patched and there are no workarounds. Cisco expects to release firmware updates in the third quarter of 2016. In the meantime, the company pointed out that the web-based management interface affected by the flaws is only accessible via a local LAN connection or the remote management feature, which is disabled by default.
The networking giant says there is no evidence that any of these flaws have been exploited for malicious purposes.