Cisco Pushes Critical Fixes for Small-Business VPN Router Product Line
- Cisco received some alarming reports about multiple vulnerabilities affecting its VPN routers line.
- The networking giant has released a fixing firmware now, so users are urged to apply the update immediately.
- There are no workarounds or other mitigations, so you should disconnect the devices if you can’t update.
Cisco has fixed a respectable number of severe remote code execution (RCE) flaws that affect various models of its small business VPN routers line. Many of the identified and fixed flaws are of a high impact, and a couple are critical vulnerabilities that can cause serious trouble. For more details on what is what, check out this advisory by Cisco.
The products that are affected are the following:
- RV160 VPN Router
- RV160W Wireless-AC VPN Router
- RV260 VPN Router
- RV260P VPN Router with POE
- RV260W Wireless-AC VPN Router
Most notably, these are vulnerable to CVE-2021-1289, CVE-2021-1290, CVE-2021-1291, CVE-2021-1292, CVE-2021-1293, CVE-2021-1294, CVE-2021-1295, which are high-severity flaws concerning firmware versions earlier than 1.0.01.02. Cisco received a tip about the vulnerabilities from researchers at Trend Micro’s Zero Day initiative, the Chaitin Security Research Lab, and the 1AQ Team.
The flaws reside in the web-based management interface of the products, enabling an unauthenticated actor to execute code remotely as root. The consequences of this would be terrible, so users of the aforementioned products are urged to apply the firmware update immediately. Also, there are no workarounds, so if you can’t perform the upgrade now, you may want to take more drastic precautions.
The products that are not affected and whose owners are not in an urgent situation to do anything are the following:
- RV340 Dual WAN Gigabit VPN Router
- RV340W Dual WAN Gigabit Wireless-AC VPN Router
- RV345 Dual WAN Gigabit VPN Router
- RV345P Dual WAN Gigabit POE VPN Router
As for whether the vulnerabilities were under active exploitation, Cisco’s Product Security Incident Response Team states that they are not aware of any announcements or other signs of malicious exploitation of these flaws. Thus, it’s likely that the researchers were the first to figure them out.
To download the latest firmware for the affected products, go to the Software Center, click on Browse All, choose Routers > Small Business Routers > Small Business RV Series Routers, pick your VPN router model, select Small Business Router Firmware, and download the corresponding release. If you did it right, you should end up getting version 1.0.01.02 or later.