A number of Cisco Small Business RV Series Routers series were found to be vulnerable to a couple of attacks, and Cisco was quick to explain what the vulnerabilities were and that the patches were issued.
Cisco confirmed that command injection and arbitrary command execution vulnerabilities were found in routers series including RV016, RV042, RV042G, RV082, RV320, and RV325. Both vulnerabilities are considered high risk, which is the main reason for issuing patches so quickly.
“A vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an authenticated, remote attacker with administrative privileges to inject arbitrary commands into the underlying operating system,” Cisco says in the advisory. “When processed, the commands will be executed with root privileges.”
As for the arbitrary command execution vulnerability, Cisco explained that the web-based management interface could let an authenticated, remote attacker execute arbitrary commands with root privileges.
The Cisco developers also said no workaround existed that could bypass these two vulnerabilities. The only way to decrease the eventual attack surface was for admins to disable the Remote Management feature. In fact, a new router has this feature disabled by default.
Even though Cisco released new firmware updates, these are not applied automatically. Users have to install such updates themselves. Vulnerabilities in routers are not uncommon, but many remain unaddressed. One reason is the lack of automatic deployment for security patches.