Cisco warns of auth bypass bug with public exploit in EoL routers

by | Jan 12, 2023 | News

Cisco critical authentication bypass vulnerability VPN routers

Post Views: 464

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

Cisco warned customers today of a critical authentication bypass vulnerability with public exploit code affecting multiple end-of-life (EoL) VPN routers.

 

The security flaw (CVE-2023-20025) was found in the web-based management interface of Cisco Small Business RV016RV042, RV042G, and RV082 routers by Hou Liuyang of Qihoo 360 Netlab.

It is caused by improper validation of user input within incoming HTTP packets. Unauthenticated attackers can exploit it remotely by sending a specially crafted HTTP request to vulnerable routers’ web-based management interface to bypass authentication.

Successful exploitation allows them to gain root access. By chaining it with another vulnerability tracked as CVE-2023-2002 (also disclosed today by Cisco), they can execute arbitrary commands on the underlying operating system.

See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course

Despite rating it as a critical severity bug and saying that its Product Security Incident Response Team (PSIRT) team is aware of proof-of-concept exploit code available in the wild, Cisco noted that it “has not and will not release software updates that address this vulnerability.”

Luckily, Cisco PSIRT has found no evidence to suggest that the vulnerability is being abused in attacks.

Trending: Operation OpRussia – Anonymous attacks on Russia

Trending: Digital Forensics Tool: Dangerzone

Disable management interface to block attacks

 

While the RV016 and RV082 WAN VPN routers were last up for sale in January and May 2016, the last day the RV042 and RV042G VPN routers were available for order was January 30, 2020, and will still be under support until January 31, 2025.

Even though there are no workarounds to address this vulnerability, administrators may disable the vulnerable routers’ web-based management interface and block access to ports 443 and 60443 to thwart exploitation attempts.

To do that, you have to log into the web-based management interface of each device, go to Firewall > General, and uncheck the Remote Management check box.

In the security advisory published today, Cisco also provides detailed steps to block access to ports 443 and 60443.

The affected routers will still be accessible and can be configured via the LAN interface after implementing the above mitigation.

In September, the company said it wouldn’t fix a critical auth bypass flaw affecting RV110W, RV130, RV130W, and RV215W EoL routers, encouraging them to migrate to RV132W, RV160, or RV160W routers under support.

In June, Cisco again advised owners to switch to newer router models after disclosing a critical remote code execution (RCE) vulnerability (CVE-2022-20825) that was also left unpatched.

Trending: Over 60,000 Exchange servers vulnerable to ProxyNotShell attacks

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This