back to article Cisco reveals critical bug in small biz VPN routers when half the world is stuck working at home

Cisco has addressed a clutch of critical vulnerabilities in its small business and VPN routers that can be exploited by an unauthenticated, remote attacker to execute arbitrary code as the root user. All the attacker needs to do is send a maliciously crafted HTTP request to the web-based management interface. Some of the …

  1. Yet Another Hierachial Anonynmous Coward


    "They can be exploited by an authenticated admin user to crash the device or execute commands on the host OS as root."

    An authenticated admin user is surely one who can totally brick, or destroy the device config, or run OS level commands anyway?

    I have a number of RV32x's in my flock, and for a moment I panic'ed about this, then realised it isn't really a problem. The web admin page is blocked from public view anyway. Mind you, the RV32x's are being replaced when convenient with Drayteks anyway - just a shame Drayteks only have 4 wan ports.

    1. Tom Chiverton 1

      Re: Confused....

      Authentication! = authorisation

      Who vs what.

  2. Mike 137 Silver badge

    "These vulnerabilities exist because HTTP requests are not properly validated."

    What, you again?

    When will those responsible wake up to the need to validate all input - always?

    It's so obvious and basic I can't get my head round anyone still failing to do so. However, having said that, in my commercial consulting experience I've never had a client whose team demonstrated real security understanding, and most are not even aware of OWASP.

    1. Peter 26

      Re: "These vulnerabilities exist because HTTP requests are not properly validated."

      I don't think I have seen any tutorials around this area in the last decade which don't cover this. It must be people reusing old code, or a proof of concept which ends up making it to the final product.

    2. Snake Silver badge

      Re: validation

      From your mouth to the developer's ears.

      I've been using the same software package for *18* years now. Through all those updates - I've stuck to version 10.8.x, the [idiot] behind the code has never validated a single input. With the resulting expected crashes and errors with invalid input, amongst other ongoing errors for 18 years.

      ...incompetence (from my perspective) is a terrible thing.

  3. _LC_


    Arggh, Huawei plunges the world into a state of insecurity again. Ban, ban, ban!

  4. StrangerHereMyself Silver badge


    Rust people, that's the answer to all our problems, Rust.

    1. Snake Silver badge

      Re: Rust

      I guess some [downvoters] didn't register the sarcasm... :p

  5. Stuart Castle Silver badge

    Potentially quite a nasty one.

    Most small businesses have a dedicated IT person, let alone IT staff. If they have anyone at all, it's likely one or two employees who might or might not have an interest in computers, and even assuming they have the knowledge required, they are probably too busy doing their job to worry too much about the network. Even if they do know, they might be slightly hesitant to deploy a patch considering doing so may remove their access to the onsite system. Not something you want to do where, dependant on the rules currently in force, you may not be allowed to travel to work.

    1. hoola Silver badge

      Exactly, and this is so much of the problem around anything like this. The companies involved simply cannot afford dedicated IT staff. There is usually someone with some knowledge but that is usually at the user support level rather than system.

      It is not helped by the fact that if they do tray and get professional support too many people just rip them off. Small businesses really struggle with these sorts of things.

  6. Wellyboot Silver badge

    RV0xx are software EOL

    As of last Friday the RV0xx (16, 42, 42G & 82) get no updates.

    Oh well..

  7. Down not across

    I'm somewhat surprised RV series stay up long enough to be exploited.

    Ok, admittedly I only did some testing quite a while ago on an older RV-200 (or may have been RV-100) and it kept freezing. Cisco (and other) forums were full of posts of how cisco didn't seem to care and offered no updates/fixes. Could have been hardware/cooling issue I suppose

    At least cisco is offering some support for the newer models by the looks of it.

    Black Helicopters

    "And tell your friends in small business to ..."

    ... NOT buy network gear for Cisco or any other US manufacturer. At least here in Europe we have trustworthy manufacturers producing clean gear: Bintec-Elmeg, Clavister, Lancom, MikroTik. Blessedly we are not forced to use network gear laden with backdoors for CIA, NSA, you name it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like