A number of Cisco Small Business RV Series Routers series
were found to be vulnerable to a couple of attacks, and Cisco was quick to
explain what the vulnerabilities were and that the patches were issued.
Cisco confirmed that command
injection and arbitrary command
execution vulnerabilities were found in routers series including RV016,
RV042, RV042G, RV082, RV320, and RV325. Both vulnerabilities are considered
high risk, which is the main reason for issuing patches so quickly.
“A vulnerability in the web-based management interface of
certain Cisco Small Business RV Series Routers could allow an authenticated,
remote attacker with administrative privileges to inject arbitrary commands
into the underlying operating system,” Cisco says in the advisory. “When
processed, the commands will be executed with root privileges.”
As for the arbitrary command execution vulnerability,
Cisco explained that the web-based management interface could let an
authenticated, remote attacker execute arbitrary commands with root privileges.
The Cisco developers also said no workaround existed that
could bypass these two vulnerabilities. The only way to decrease the eventual
attack surface was for admins to disable the Remote Management feature. In
fact, a new router has this feature disabled by default.
Even though Cisco released new firmware updates, these
are not applied automatically. Users have to install such updates themselves.
Vulnerabilities in routers are not uncommon, but many remain unaddressed. One reason
is the lack of automatic deployment for security patches.