Information Security News mailing list archives
Cisco patches serious vulnerabilities in small business RV Series routers
From: InfoSec News <alerts () infosecnews org>
Date: Thu, 6 Nov 2014 16:02:45 +0000 (UTC)
http://news.techworld.com/security/3584643/cisco-patches-serious-vulnerabilities-in-small-business-rv-series-routers/ By Lucian Constantin Techworld.com 06 November 2014Cisco Systems released patches for its small business RV Series routers and firewalls to address vulnerabilities that could allow attackers to execute arbitrary commands and overwrite files on the vulnerable devices.
The affected products are Cisco RV120W Wireless-N VPN Firewall, Cisco RV180 VPN Router, Cisco RV180W Wireless-N Multifunction VPN Router, and Cisco RV220W Wireless Network Security Firewall. However, firmware updates have been released only for the first three models, while the fixes for Cisco RV220W are expected later this month.
One of the patched flaws allows an attacker to execute arbitrary commands as root -- the highest privileged account -- through the network diagnostics page in a device's Web-based administration interface. The flaw stems from improper input validation in a form field that's supposed to only allow the PING command. Its exploitation requires an authenticated session to the router interface.
A second vulnerability allows attackers to execute cross-site request forgery (CSRF) attacks against users who are already authenticated on the devices. Attackers can piggyback on their authenticated browser sessions to perform unauthorized actions if they can trick those users to click on specially crafted links.
[...] -- Evident.io - Continuous Cloud Security for AWS. Identify and mitigate risks in 5 minutes or less. Sign up for a free trial @ https://evident.io/
Current thread:
- Cisco patches serious vulnerabilities in small business RV Series routers InfoSec News (Nov 06)