Cisco Fixes Router, LAN Controller Security Flaws
Cisco Systems (CSCO) said in a security advisory it has addressed vulnerabilities in its small-business routers and wireless LAN controllers with new firmware to prevent remote hackers from gaining unauthorized administrative access.
Cisco Systems (CSCO) said in a security advisory it has addressed vulnerabilities in its small-business routers and wireless LAN controllers with new firmware to prevent remote hackers from gaining unauthorized administrative access.
The affected products include Cisco’s RV110W Wireless-N VPN Firewall running firmware versions 1.2.0.9 and prior, RV215W Wireless-N VPN router running firmware versions 1.1.0.5 and prior, and CVR100W Wireless-N VPN router running firmware versions 1.0.1.19 and prior. To date, the flaw doesn’t affect any other Cisco products.
Cisco said a vulnerability in the web management interface “could allow an unauthenticated, remote attacker to gain administrative-level access to the web management interface of the affected device.” An attacker could exploit what Cisco called “improper handling of authentication requests,” to gain administrative-level access by intercepting, modifying or resubmitting a request. Once inside, the attacker can configure all the router’s settings.
The networking vendor, which assigned the vulnerability the highest score of 10 in the Common Vulnerability Scoring System (CVSS), said it had no workarounds to circumvent it.
Cisco said it has released free software updates for the RV110W, RV215W, and CVR100W and advised customers with service contracts and those with third-party maintenance agreements to obtain the firmware upgrade through their regular channels. Customers without service deals can contact Cisco’s Technical Assistance Center, the vendor said. Customers should have the product serial number available and be prepared to provide the URL of Cisco’s security advisory as evidence of entitlement to the free upgrade.
The vendor also advised customers to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments before installation.
So far no one has taken advantage of the vulnerability to launch an attack, according to Cisco’s Product Security Incident Response Team (PSIRT).