A new critical Cisco SMB router bug has discovered, that allows an attacker to bypass authentication and execute arbitrary commands. The vulnerability is in the Adaptive Security Device Manager (ADSM) Launcher.
Adaptive Security Device Manager (ADSM) Launcher vulnerability
There has been an uptick in attacks against the networking giant in recent years. The latest in a string of high-profile security breaches includes the notoriously unreliable VPN client of a Cisco employee. It’s a shame, because the router and firewall are crucial parts of any network security strategy. One problem is that most enterprise network administrators are not privy to their corporate router’s firmware and configuration. Consequently, hackers have access to critical data and can perform a variety of exploits, from man-in-the-middle attacks to DDoS and other nefarious activities.
Aside from the obvious culprits like compromised or lost user accounts, malware attacks have become more commonplace as the market for enterprise-grade routers continues to mature. This means that the company must do more than simply patch the holes in its firewall. To be a successful organization, it must also engage in a more robust security mindset involving proper password and user authentication, as well as proactive monitoring and patching of its devices. By doing so, it can better protect against these types of malicious attacks.
Ways to improve your cyber security
There are many ways to improve your cyber security posture and your overall bottom line. Using the right tools and tricks will not only ensure the continued safety of your most important assets, but will keep your business compliant and profitable in the long run. While you are at it, make sure to get your hands on the latest hardware and software updates, especially those pertaining to the router.
Most companies are stuck in the past with outdated firmware, unpatched routers and other hardware maladies that will only lead to the downfall of an otherwise competent IT department. Hopefully, you have alerted to these and other threats and can put a stop to them before they strike your company. For more information, visit Cisco’s website. Regardless of which brand of router you use, make sure to keep it up to date, preferably by using the auto-update features and manual firmware upgrades.
Authentication bypass vulnerability
The Cisco SMB router is susceptible to a critical authentication bypass flaw. This flaw can exploit by an unauthenticated remote attacker, leading to remote code execution and root access.
There are a few workarounds that can mitigate the effects, including disabling remote management, limiting the number of source IPs from which the UI can accessed, and deploying VLANs to limit devices that can see the router on the LAN side. Unfortunately, Cisco has not announced any patches to fix the issue.
The Cisco RV340, RV340W, and RV345P are dual WAN Gigbit VPN routers. These routers are vulnerable to multiple flaws, including system command injection and a buffer overrun. However, there are two bugs that are particularly noteworthy.
One bug involves a buffer overrun that lets an attacker execute arbitrary code without a password. The other bug exploits the encryption of a configuration backup file. While this may sound like a dud, it has a much larger impact since it can allow an attacker to obtain a list of legitimate login credentials.
User input validation
A more technical, and possibly more revealing, vulnerability involves user input validation on incoming HTTP packets. A remote attacker can use the bug to send crafted HTTP requests. If an unauthenticated attacker is successful, the resulting attack can result in a denial of service.
Cisco also issued an alert about a high-severity bug in the web-based management interface. In this bug, an attacker can send a crafted HTTP request to the management interface and gain remote code execution. Luckily, this bug isn’t a real-world exploit, because it can’t exploit on routers that don’t have Remote Administration turned on.
Although Cisco hasn’t released any patches for the bug, it has warned customers about the issue. Hopefully, the company will release a patch soon.
Finally, a proof-of-concept exploit for the bug is floating around in the wild. The exploit identifies the version of the device and the most important information about the device, then starts a telnet daemon as root and listens on TCP port 8888. Once it gets root privileges, it can do just about anything the exploit is design to do.
Remote command execution vulnerability
The Cisco Small Business RV Series Routers have exposed to several vulnerabilities. One is a high-impact Remote Command Execution vulnerability that can exploited by an unauthenticated attacker. If the attacker can successfully exploit this flaw, they could gain access to the device and its data, possibly allowing them to perform arbitrary actions.
An attacker may be able to exploit this vulnerability by sending a specially designed HTTP request to an affected device. This will cause the device to execute arbitrary code on the underlying Linux operating system. It is important to note that an attacker must have a foothold on a specific network device connected to the router to be able to exploit this vulnerability.
There are several ways that an attacker could exploit this flaw. In addition to executing arbitrary code, an attacker could also bypass authentication and perform a denial-of-service attack.
An attacker can also exploit this flaw by leveraging a machine-in-the-middle position. This would allow them to leverage the device to decrypt or modify data. They can also use it to launch a remote command execution attack, which allows them to take control of the device and its systems.
Small Business Series Critical Cisco SMB Router Bug
The Cisco Small Business RV260, RV340, and RV345 series routers are all affected by this high-severity bug. To mitigate the threat, it is advisable to disable remote management. Also, administrators can block ports 443 and 60443 on the device.
Another issue involves pre-auth remote code execution, which allows an unauthenticated attacker to execute arbitrary commands on the router. This flaw has a CVSS score of 9.8.
Finally, there is an issue with the SSL VPN gateway, which allows an attacker to perform a remote employee access attack. This bug found on a Cisco router, and it typically used by small business organizations to connect to larger partners via a VPN tunnel.
Cisco has not released patches to fix this critical remote command execution vulnerability, and there are no plans to do so. However, the company does recommend that users patch their devices. After mitigation, these devices can still access via the LAN interface.
Mitigation measures for Critical Cisco SMB Router Bug
If you own a Cisco small business router, you may have discovered a bug that allows an unauthenticated attacker to execute commands. You may also have seen reports of this bug exploited to bypass authentication. The good news is that there are mitigation measures you can take to protect yourself. But first, let’s discuss what the problem is and what it does.
As mentioned in the introduction, Cisco routers are design for small and midsize businesses. That means that they’re often targeted by threat actors looking for a way to steal sensitive information or gain full control of a device. These threats can take many forms, from overwriting restricted files to directory traversal attacks.
It’s also possible to chain these vulnerabilities together to completely bypass the secure boot mechanism. This can then use to lock out future software updates. Another bug exploits the encryption of the configuration backup file. By reading this backup, an attacker can learn the login credentials for the device and then reload the device to access the web-based admin interface.
IOS XE operating system
While some of these bugs are trivial to exploit, others are more serious. For example, the IOS XE operating system has insufficient cross-site request forgery protections, making it possible for an attacker to launch a malicious HTTP request to execute commands. In other cases, the firmware is prone to buffer overrun attacks.
In this case, an attacker can send a specially-crafted HTTP request to the management interface to enumerate the configuration and execute commands. A remote attacker with access to the LAN side can then take over the device, executing arbitrary code as root.
If you’re a Cisco user, you may want to consider disabling Remote Management on the router. With this feature turned on, a rogue user can log into the web-based management interface and gain root access to the router.
Ultimately, the best mitigation strategy is to use VLANs, or Virtual Local Area Networks. You can then restrict devices on the LAN side to only those that are permit to see the router. And if you’re worried about a remote attacker being able to take over your device, you can block ports 443 and 60443.
Cisco is currently aware of three high-severity vulnerabilities. Two are in Small Business RV110W and RV215W routers.
Recommended readings:
