Cisco SOHO wireless VPN firewalls and routers open to attack

Cisco has released security fixes for several models of wireless VPN firewalls and routers, plugging a remote code execution flaw (CVE-2019-1663) that can be triggered via a malicious HTTP request.

CVE-2019-1663

About CVE-2019-1663

The vulnerability affects the:

  • Cisco RV110W Wireless-N VPN Firewall
  • Cisco RV130W Wireless-N Multifunction VPN Router
  • Cisco RV215W Wireless-N VPN Router.

The flaw is in the devices’ web-based management interface and arose due to improper validation of user-supplied data. By sending a malicious HTTP requests to a vulnerable device, an attacker may be able to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user.

The vulnerability was discovered and disclosed without any technical details or mention of the affected products in October 2018 at GeekPwn Shanghai by Yu Zhang and Haoliang Lu. It has apparently also been flagged by Takeshi Shiomitsu of UK-based Pen Test Partners.

There seems to be no publicly available exploit code for the flaw at this time and Cisco does not mention any active exploitation attempts.

The flaw is serious, but can be exploited only if a device’s web-based management interface is available through a local LAN connection or the remote management feature, and the latter is disabled by default.

Nevertheless, users are urged to implement the provided fixed releases as soon as possible.

UPDATE (28 February, 2019, 11:58 PT):

Pen Test Partners have released a root-cause analysis of the vulnerability and PoC code.

UPDATE (4 March, 2019, 02:50 PT):

Scans and exploitation attempts using the PoC provided by Pen Test partners have been spotted as early as Friday. According to Rapid7, “there are just shy of 12,000 exposed devices on the internet” and nearly all are “listening on the default HTTPS port, 443/TCP, or common alternate HTTPS ports such as 8443/TCP + 9443/TCP, and a handful of other ports.”

“Every single one of these routers is vulnerable to the RCE attack unless they apply the available patch,” the company’s researchers pointed out.