Cisco plugs hole in firewall devices that could lead to device hijacking

Cisco has released a firmware update that plugs a critical, easy-to-exploit vulnerability that could allow a remote attacker to take control of the company’s RV220W Wireless Network Security Firewall devices.

The flaw is present in the device’s web-based management interface, and affects firmware versions prior to 1.0.7.2. It was flagged by an anonymous researcher working with the Beyond Security’s SecuriTeam Secure Disclosure program.

“The vulnerability is due to insufficient input validation of HTTP request headers that are sent to the web-based management interface of an affected device,” the company explained in a security advisory published on Wednesday.

“An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted HTTP request that contains malicious SQL statements to the management interface of a targeted device. Depending on whether remote management is configured for the device, the management interface may use the SQL code in the HTTP request header to determine user privileges for the device. A successful exploit could allow the attacker to bypass authentication on the management interface and gain administrative privileges on the device.”

There are workarounds/mitigations for the problem – disabling or restricting access to remote management functionality for an affected device – but the best thing to do, if possible, is to update the firmware to the latest version (v1.0.7.2). You can get it here.

The company’s PSIRT is not aware of instances of this vulnerability having been or being exploited in the wild. Admins who want to check whether their devices have been compromised via this flaw can look into the Authentication, Accounting, and Authorization (AAA) log files for suspect or malicious login data.

Cisco made sure to note that their RV120W Wireless-N VPN Firewalla, RV180 VPN Routers, and RV180W Wireless-N Multifunction VPN Routers are not affected by the flaw.