Cisco reveals critical bug in small biz VPN routers when half the world is stuck working at home Cisco has addressed a clutch of critical vulnerabilities in its small business and VPN routers that can be exploited by an unauthenticated, remote attacker to execute arbitrary code as the root user. All the attacker needs to do is send a maliciously crafted HTTP request to the web-based management interface. Some of the …
"They can be exploited by an authenticated admin user to crash the device or execute commands on the host OS as root."
An authenticated admin user is surely one who can totally brick, or destroy the device config, or run OS level commands anyway?
I have a number of RV32x's in my flock, and for a moment I panic'ed about this, then realised it isn't really a problem. The web admin page is blocked from public view anyway. Mind you, the RV32x's are being replaced when convenient with Drayteks anyway - just a shame Drayteks only have 4 wan ports.
What, you again?
When will those responsible wake up to the need to validate all input - always?
It's so obvious and basic I can't get my head round anyone still failing to do so. However, having said that, in my commercial consulting experience I've never had a client whose team demonstrated real security understanding, and most are not even aware of OWASP.
From your mouth to the developer's ears.
I've been using the same software package for *18* years now. Through all those updates - I've stuck to version 10.8.x, the [idiot] behind the code has never validated a single input. With the resulting expected crashes and errors with invalid input, amongst other ongoing errors for 18 years.
...incompetence (from my perspective) is a terrible thing.
Potentially quite a nasty one.
Most small businesses have a dedicated IT person, let alone IT staff. If they have anyone at all, it's likely one or two employees who might or might not have an interest in computers, and even assuming they have the knowledge required, they are probably too busy doing their job to worry too much about the network. Even if they do know, they might be slightly hesitant to deploy a patch considering doing so may remove their access to the onsite system. Not something you want to do where, dependant on the rules currently in force, you may not be allowed to travel to work.
Exactly, and this is so much of the problem around anything like this. The companies involved simply cannot afford dedicated IT staff. There is usually someone with some knowledge but that is usually at the user support level rather than system.
It is not helped by the fact that if they do tray and get professional support too many people just rip them off. Small businesses really struggle with these sorts of things.
I'm somewhat surprised RV series stay up long enough to be exploited.
Ok, admittedly I only did some testing quite a while ago on an older RV-200 (or may have been RV-100) and it kept freezing. Cisco (and other) forums were full of posts of how cisco didn't seem to care and offered no updates/fixes. Could have been hardware/cooling issue I suppose
At least cisco is offering some support for the newer models by the looks of it.
... NOT buy network gear for Cisco or any other US manufacturer. At least here in Europe we have trustworthy manufacturers producing clean gear: Bintec-Elmeg, Clavister, Lancom, MikroTik. Blessedly we are not forced to use network gear laden with backdoors for CIA, NSA, you name it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
