Cisco warns of authentication bypass vulnerabilities in routers
A remote attacker could exploit multiple vulnerabilities in four Cisco small business routers to bypass authentication or execute arbitrary commands on an affected device.
The flaws, which could affect Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers, could allow an unauthenticated remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on an affected device, according to the company.
According to Cisco’s alert, this vulnerability is caused by improper validation of user input within incoming HTTP packets. An attacker could take advantage of this flaw by sending a specially crafted HTTP request to the web-based management interface. If the exploit is successful, the attacker may be able to bypass authentication and gain root access to the underlying operating system.
The security flaw, identified as CVE-2023-20025 (CVSS score of 9.0), affects the web-based management interface of the routers and could be exploited to bypass authentication. Because user input within incoming HTTP packets is not properly validated, an attacker can send crafted HTTP requests to the router, bypassing authentication and gaining root access to the operating system.
A successful compromise could, among other things, allow cyberattackers to eavesdrop on or hijack VPN and session traffic flowing through the device, gain a foothold for lateral movement within a company’s network, or run cryptominers, botnet clients, or other malware.
The first bug is a critical-rated authentication bypass issue (CVE-2023-20025) that exists in the devices’ Web management interface and has a CVSS severity rating of 9 out of 10.
Meanwhile, the second flaw, CVE-2023-20026, can allow remote code execution (RCE) with the caveat that an attacker would need valid administrative credentials on the affected device to be successful, so the bug is rated medium, with a CVSS score of 6.5.
They both affect all RV016, RV042, RV042G, and RV082 routers that have reached end of life (EoL). As a result, the appliances no longer receive security updates, according to a Jan. 11 advisory from the networking giant.
The advisory noted that both bugs are “due to improper validation of user input within incoming HTTP packets,” so an attacker needs only to send a crafted HTTP request to the Web-based management interface to gain root access on the underlying operating system.
The sources for this piece include an article in DarkReading.