Number: IRCNE2014112371
Date: 2014/11/09
According to “techworld”, cisco Systems released patches for its small business RV Series routers and firewalls to address vulnerabilities that could allow attackers to execute arbitrary commands and overwrite files on the vulnerable devices.
The affected products are Cisco RV120W Wireless-N VPN Firewall, Cisco RV180 VPN Router, Cisco RV180W Wireless-N Multifunction VPN Router, and Cisco RV220W Wireless Network Security Firewall. However, firmware updates have been released only for the first three models, while the fixes for Cisco RV220W are expected later this month.
One of the patched flaws allows an attacker to execute arbitrary commands as root -- the highest privileged account -- through the network diagnostics page in a device's Web-based administration interface. Its exploitation requires an authenticated session to the router interface.
A second vulnerability allows attackers to execute cross-site request forgery (CSRF) attacks against users who are already authenticated on the devices. This vulnerability also provides a way to remotely exploit the first flaw.
A third security flaw that was patched by Cisco allows an unauthenticated attacker to upload files to arbitrary locations on a vulnerable device using root privileges. Existing files will be overwritten, the Securify researchers said.
Cisco released firmware versions 1.0.4.14 for the RV180 and RV180W models and firmware version 1.0.5.9 for the RV120W.
- 3