Recently, there has been abundant news regarding security and privacy vulnerabilities in the software products produced by IT industry leaders. Industry leaders like Microsoft, Google, and Apple have all reported numerous bugs just in the past few weeks alone. To add to that, there has also been ample news when it comes to software vulnerabilities in very widely-used hardware offerings such as chipsets and routers. Software vulnerabilities, in general, are a normal occurrence in the IT industry, especially with products developed by market leaders who cater to hundreds of millions of users. When these software vulnerabilities are discovered, no matter how small they may be, it is extremely important to patch or update them as soon as possible. This is because cybercriminals are always looking to exploit easy bugs, for one obvious reason: market share.
The largest firms in the world which hold the biggest pieces of the market share pie are the perfect launching pad for specialist cybercriminals looking for maximum exposure. The amount of time required to fix vulnerabilities also differs widely, and most often big companies with a proprietary development model will have slower development cycles where they can fix a vulnerability or bug. SMBs (Small-to-Medium Businesses) that utilize open-source development can usually respond faster to a vulnerability than the largest organizations can.
This time, the news points once again at another industry leader, Cisco. Cisco is the established worldwide leader in networking. According to their official website: “CISCO SYSTEMS INC. IS THE WORLDWIDE LEADER in networking for the Internet.”
On August 4th, 2021 Cisco themselves have reported multiple vulnerabilities in several of their VPN router models, such as the RV160 VPN router that is popular with small businesses.
Details Surrounding The Software Vulnerabilities
On August 04th, 2021 two public release reports were provided by Cisco via the Security Advisory section of their website. One of these reports describes both a critical risk and high-risk vulnerability, the other one high-risk vulnerability. The software vulnerabilities found within Cisco’s VPN router lineup can result in a vulnerable system, that if not updated, can be completely compromised remotely.
Technical Details
The CVE ID (Critical Vulnerabilities and Exposures classification system) codes for the vulnerabilities are as follows;
- Critical risk vulnerability CVE-2021-1609
- High-risk vulnerability CVE-2021-1610
- High-risk vulnerability CVE-2021-1602
The vulnerability descriptions contain the following security flaws and instances; stack-based buffer overflow and OS command injection.
Affected VPN Router Models
The complete list of Cisco VPN router models affected by the software vulnerabilities is as follows; Cisco RV340, RV340W, RV345, RV345P Dual WAN Gigabit VPN, Cisco Small Business RV160, and RV260 Series. The reported vulnerable software versions are as follows;
- Cisco RV340 Dual WAN Gigabit VPN Router: 1.0.03.21
- Cisco RV340W Dual WAN Gigabit Wireless-AC VPN Router: 1.0.03.21
- Cisco RV345 Dual WAN Gigabit VPN Router: 1.0.03.21
- Cisco RV345P Dual WAN Gigabit POE VPN Router: 1.0.03.21
- Cisco RV340 Dual WAN Gigabit VPN Router: 1.0.03.21
- Cisco RV340W Dual WAN Gigabit Wireless-AC VPN Router: 1.0.03.21
- Cisco RV345 Dual WAN Gigabit VPN Router: 1.0.03.21
- Cisco RV345P Dual WAN Gigabit POE VPN Router: 1.0.03.21
- Cisco Small Business RV160 Series VPN Router: 1.0.01.03
- Cisco Small Business RV160W Wireless-AC VPN Router: 1.0.01.03
- Cisco Small Business RV260 VPN Router: 1.0.01.03
- Cisco Small Business RV260P VPN Router with POE: 1.0.01.03
- Cisco Small Business RV260W Wireless-AC VPN Router: 1.0.01.03
Important Information For Cisco VPN Router Users
For the above reasons, it is imperative that users always keep their software products automatically updated and check back on the relevant web pages that offer information about updates. In the two release reports, Cisco has stated that users must update their software versions if they are using any of the products in the above list.
For the Cisco RV340, RV340W, RV345, and RV345P Dual Wan Gigabit VPN routers, Cisco has released a fix in firmware update 1.0.03.22 and later versions. For the Cisco Small Business RV160 and RV260 Series VPN routers, Cisco has released a fix in firmware update 1.0.01.04 and later. Users should immediately update to these firmware versions.
Note: Customers with license agreements may only install fixes to “software versions and feature sets for which they have purchased a license.” Customers without a service contract should contact Cisco TAC.