http://news.techworld.com/security/3584643/cisco-patches-serious-vulnerabilities-in-small-business-rv-series-routers/
By Lucian Constantin
Techworld.com
06 November 2014
Cisco Systems released patches for its small business RV Series routers
and firewalls to address vulnerabilities that could allow attackers to
execute arbitrary commands and overwrite files on the vulnerable devices.
The affected products are Cisco RV120W Wireless-N VPN Firewall, Cisco
RV180 VPN Router, Cisco RV180W Wireless-N Multifunction VPN Router, and
Cisco RV220W Wireless Network Security Firewall. However, firmware updates
have been released only for the first three models, while the fixes for
Cisco RV220W are expected later this month.
One of the patched flaws allows an attacker to execute arbitrary commands
as root -- the highest privileged account -- through the network
diagnostics page in a device's Web-based administration interface. The
flaw stems from improper input validation in a form field that's supposed
to only allow the PING command. Its exploitation requires an authenticated
session to the router interface.
A second vulnerability allows attackers to execute cross-site request
forgery (CSRF) attacks against users who are already authenticated on the
devices. Attackers can piggyback on their authenticated browser sessions
to perform unauthorized actions if they can trick those users to click on
specially crafted links.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
