The largest firms in the world which hold the biggest pieces of the market share pie are the perfect launching pad for specialist cybercriminals looking for maximum exposure. The amount of time required to fix vulnerabilities also differs widely, and most often big companies with a proprietary development model will have slower development cycles where they can fix a vulnerability or bug. SMBs (Small-to-Medium Businesses) that utilize open-source development can usually respond faster to a vulnerability than the largest organizations can. This time, the news points once again at another industry leader, Cisco. On August 4th, 2021 Cisco themselves have reported multiple vulnerabilities in several of their VPN router models.
Details Surrounding The Software Vulnerabilities
On August 04th, 2021 two public release reports were provided by Cisco via the Security Advisory section of their website. One of these reports describes both a critical risk and high-risk vulnerability, the other one high-risk vulnerability. The software vulnerabilities found within Cisco’s VPN router lineup can result in a vulnerable system, that if not updated, can be completely compromised remotely.
Technical Details
The CVE ID (Critical Vulnerabilities and Exposures classification system) codes for the vulnerabilities are as follows;
Critical risk vulnerability CVE-2021-1609 High-risk vulnerability CVE-2021-1610 High-risk vulnerability CVE-2021-1602
The vulnerability descriptions contain the following security flaws and instances; stack-based buffer overflow and OS command injection.
Affected VPN Router Models
The complete list of Cisco VPN router models affected by the software vulnerabilities is as follows; Cisco RV340, RV340W, RV345, RV345P Dual WAN Gigabit VPN, Cisco Small Business RV160, and RV260 Series. The reported vulnerable software versions are as follows;
Cisco RV340 Dual WAN Gigabit VPN Router: 1.0.03.21 Cisco RV340W Dual WAN Gigabit Wireless-AC VPN Router: 1.0.03.21 Cisco RV345 Dual WAN Gigabit VPN Router: 1.0.03.21 Cisco RV345P Dual WAN Gigabit POE VPN Router: 1.0.03.21 Cisco RV340 Dual WAN Gigabit VPN Router: 1.0.03.21 Cisco RV340W Dual WAN Gigabit Wireless-AC VPN Router: 1.0.03.21 Cisco RV345 Dual WAN Gigabit VPN Router: 1.0.03.21 Cisco RV345P Dual WAN Gigabit POE VPN Router: 1.0.03.21 Cisco Small Business RV160 Series VPN Router: 1.0.01.03 Cisco Small Business RV160W Wireless-AC VPN Router: 1.0.01.03 Cisco Small Business RV260 VPN Router: 1.0.01.03 Cisco Small Business RV260P VPN Router with POE: 1.0.01.03 Cisco Small Business RV260W Wireless-AC VPN Router: 1.0.01.03
Important Information For Cisco VPN Router Users
For the above reasons, it is imperative that users always keep their software products automatically updated and check back on the relevant web pages that offer information about updates. In the two release reports, Cisco has stated that users must update their software versions if they are using any of the products in the above list. For the Cisco RV340, RV340W, RV345, and RV345P Dual Wan Gigabit VPN routers, Cisco has released a fix in firmware update 1.0.03.22 and later versions. For the Cisco Small Business RV160 and RV260 Series VPN routers, Cisco has released a fix in firmware update 1.0.01.04 and later. Users should immediately update to these firmware versions. Note: Customers with license agreements may only install fixes to “software versions and feature sets for which they have purchased a license.” Customers without a service contract should contact Cisco TAC.
