Cisco Releases Updates to Address Two Vulnerabilities in VPN Routers
Cisco has released updates to fix critical pre-auth vulnerabilities in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN routers. Running firmware older than release 1.0.03.22. The flaws could be exploited to execute arbitrary code and create a denial-of-service condition.
The Cisco VPN Routers in question are from the Cisco Small Business Unit, which has almost nothing to do with Cisco’s enterprise product software. It's a completely separate operating system and hardware line. Unfortunately, it does have the Cisco name on it, so many small business customers will purchase it. This is a tragic scenario because these bugs hit companies that may not have all of the other security controls a large organization will have, and may not even patch these systems. This may go unnoticed for quite a while, and may only get addressed if they replace the product in the future. What we have seen is that for "Remote Management" these systems may have their Web Management right on the internet. Since these are VPN Routers, we would not expect that they are all behind a NAT so they may be internet facing.
These are pre-authentication vulnerabilities, exploitable via the web-based management interface which cannot be disabled on the local LAN connection. Take three steps now: apply the firmware updates; make sure that the management interface is disabled on the WAN connection and review your configuration to make sure it is unaltered. There are no workarounds.
This brings the total vulnerability count to 7 over the last couple years, for this particular router's web admin interface. If you believe that they found them all: Please allow worldwide access to the admin interface. If you feel like there may be a couple more vulnerabilities that haven't been found/patched yet: Disable access from anything but a few administrator IPs.
Read more in
Bleeping Computer: Cisco fixes critical, high severity pre-auth flaws in VPN routers