Security researcher Samuel Huntley has discovered four vulnerabilities in Cisco’s RV range of small business Wi-Fi routers, the worst of which could allow an unauthenticated, remote attacker to execute arbitrary code as root on a targeted system.
Unfortunately, the company hasn’t yet released firmware updates that plug these holes – they are scheduled for release in the third quarter of 2016 – and no workarounds are available if you need keep the remote management feature enabled.
The vulnerable products are the RV110W Wireless-N VPN Firewall, the RV130W Wireless-N Multifunction VPN Router, and the RV215W Wireless-N VPN Router.
Apart from the code execution flaw, they are also open to two (1, 2) HTTP request buffer overflow vulnerabilities that could result in a DoS condition on the targeted systems, and a cross-site scripting (XSS) vulnerability that could be exploited by attackers to access sensitive browser-based information.
All the vulnerabilities affect the devices’ web-based management interface, can be exploited remotely, and the code execution and XSS flaws can be triggered by unauthenticated attackers.
Until the security updates are made available, users that do not require the remote management option are advised to disable it (if they have enabled in the first place, as the affected devices come with the feature switched off).
“To determine whether the remote management feature is enabled for a device, open the web-based management interface for the device and then choose Basic Settings > Remote Management. If the Enable check box is checked, remote management is enabled for the device,” the company instructed.
The only good news so far is that there is no indication that any of these flaws are being exploited in the wild.
UPDATE (JUNE 23, 2016): Cisco has released firmware updates that address some of these vulnerabilities. The code execution flaw (CVE-2016-1395) has for now been fixed just in the new firmware for the Cisco RV130W Wireless-N Multifunction VPN Router.