Full Disclosure mailing list archives

Re: Cisco Security Advisory: Cisco Small Business Router Password Disclosure Vulnerability

From: "Brian M. Waters" <brian () brianmwaters net>
Date: Wed, 05 Mar 2014 17:02:44 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Great, just two days after I purchased on on the premise that this would
be less likely to happen to a "small business" router than a consumer one!

Thanks for being forthcoming,

BW

On 03/05/2014 11:28, Cisco Systems Product Security Incident Response
Team wrote:

Cisco Security Advisory: Cisco Small Business Router Password
Disclosure Vulnerability

Advisory ID: cisco-sa-20140305-rpd

Revision 1.0

For Public Release 2014 March 5 16:00  UTC (GMT)

+---------------------------------------------------------------------

 Summary =======


A vulnerability in the web management interface of the Cisco RV110W
Wireless-N VPN Firewall, the Cisco RV215W Wireless-N VPN Router,
and the Cisco CVR100W Wireless-N VPN Router could allow an
unauthenticated, remote attacker to gain administrative-level
access to the web management interface of the affected device.

The vulnerability is due to improper handling of authentication
requests by the web framework. An attacker could exploit this
vulnerability by intercepting, modifying and resubmitting an
authentication request. Successful exploitation of this
vulnerability could give an attacker administrative-level access to
the web-based administration interface on the affected device.

Cisco has released free software updates that address this
vulnerability. There are currently no known workarounds that
mitigate this vulnerability. This advisory is available at the
following link: 
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140305-rpd



_______________________________________________ Full-Disclosure -
We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
sponsored by Secunia - http://secunia.com/


- -- 
Brian M. Waters
+1 (908) 380-8214
brian () brianmwaters net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)

iQEcBAEBCgAGBQJTF579AAoJEEYNFaEjEsGoJu4H/30s9m46Yj8k2i5ZsOUaXiBv
c/Z/tHpKD2uNf7kNs1c8KpD5Gvr7R5jvwZzdi6CVzG08qKoWMYPJii5EYlLOVH2R
cK+JQO0sDn7GWbc/5Il7SmarKfkQdYLJxOw2uNxgYiRpImGXiColo7sHP2FkMbxt
BJyNT26n1sAyHJ2XyJsxPo5+xjHPrg8O1tdBsVio/FYp0SestNoW/2oYTNzQb5jl
TzJr5rS90XNxudVXnptl07djCuhDgkT/JZLST9cUCMpVbwOpHqVhzFZhYan/JfeL
Gu43RUS9T1R5p0WPhS1k9L7QkjoWRoqA00sGqwbzq0iHl/XIutDUztP4FSLkFzM=
=my8Z
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Cisco Security Advisory: Cisco Small Business Router Password Disclosure Vulnerability Cisco Systems Product Security Incident Response Team (Mar 05)
- Re: Cisco Security Advisory: Cisco Small Business Router Password Disclosure Vulnerability Brian M. Waters (Mar 06)