Cisco warns customers of critical vulnerabilities in small business routers

Cisco Systems Inc. is warning customers of two critical vulnerabilities in the web-management interface of some of its small business routers that could allow a remote attacker to gain access to a targeted device.

The vulnerabilities have been found in Cisco Small Business RV016, RV042, RV042G and RV082 routers. Using the access, an attacker can bypass authentication or execute arbitrary commands on the underlying operating system of an affected device.

The first vulnerability – CVE-2023-20025, is due to improper validation of user input within incoming HTTP packets. An attacker can exploit this vulnerability by sending a crafted HTTP request to the web-based management interface, bypassing authentication and gaining root access to the underlying operating system.

The second vulnerability – CVE-2023-20026, is also due to improper validation of user input within incoming HTTP packets. Like the first vulnerability, an attacker could exploit the vulnerability by sending a crafted HTTP request to the web-based management interface. Using the exploit, an attacker could gain root-level privileges and access unauthorized data.

It is noted that to exploit the second vulnerability, an attacker would need to have valid administrative credentials on the affected device.

There is no software update or workarounds to address the vulnerabilities. While there are no workarounds, administrators can mitigate the vulnerabilities by disabling remote management and blocking access to ports 443 and 60443. The routers will still be accessible through the LAN interface after the mitigation has been implemented.

Notably, Cisco said it would not release software updates to address the vulnerabilities as the routers have entered the end-of-life process.

“The Cisco small business routers affected by these vulnerabilities still see reasonably widespread usage, though they are all officially end of life,” Mike Parkin, senior technical engineer at enterprise cyber risk remediation company Vulcan Cyber Ltd., told SiliconANGLE. “The challenge will be that these devices are typically found in small businesses with limited resources or used by individuals who may not have the budget to replace them.”

Noting that it’s unfortunate that Cisco is not going to fix the vulnerabilities, Parkin warned that “anyone who still has one of these in service should strongly consider replacing them with newer kit sooner rather than later.”

John Bambenek, principal threat hunter at cloud data analytics provider Netenrich Inc. noted that “it’s always a best practice not to allow remote administration of network devices accessible from the open internet, however, small business using some MSP/MSSPs have to leave it open for their service providers.”

“That said, this is the worst of all worlds with proof of concept code publicly available and no mitigations or patches available,” Bambenek added.

Photo: Rawpixel