Cisco today notified customers of a critical authentication bypass vulnerability with public exploit affecting multiple End-of-Life (EoL) VPN routers.
This is caused by poor validation of user input in incoming HTTP packets. Unauthenticated attackers can exploit it remotely by sending a specially crafted HTTP request to the web management interface of vulnerable routers to bypass authentication.
Successful exploitation allows them to gain root access. By chaining it with another vulnerability identified as CVE-2023-2002 (also disclosed today by Cisco), they can execute arbitrary commands on the underlying operating system.
Although he classified it as a critical-severity bug and stated that his Product Security Incident Response Team (PSIRT) was aware of the proof-of-concept exploit code available in the wild , Cisco noted that it “has not and will not release software updates that address this vulnerability.”
Fortunately, Cisco PSIRT found no evidence to suggest that the vulnerability is being abused in the attacks.
Disable the management interface to block attacks
While the RV016 and RV082 WAN VPN Routers last went on sale in January and May 2016, the last day the RV042 and RV042G VPN Routers were available to order was January 30, 2020 and will still be under support. until January 31, 2025.
Although there is no workaround for this vulnerability, administrators can disable the web management interface of vulnerable routers and block access to ports 443 and 60443 to thwart exploit attempts.
To do this, you need to log in to each device’s web management interface, navigate to Firewall > General, and uncheck the Remote Management box.
In today’s security advisory, Cisco also provides detailed steps to block access to ports 443 and 60443.
Affected routers will still be accessible and configurable through the LAN interface after the above mitigation is implemented.
In September, the company said would not resolve a critical authentication bypass flaw affecting EoL RV110W, RV130, RV130W and RV215W routers, encouraging them to migrate to RV132W, RV160 or RV160W routers under support.
In June, Cisco again advised owners to upgrade to newer router models after leaking a critical remote code execution (RCE) vulnerability (CVE-2022-20825) which also has not been fixed.