Cisco warns of critical authentication bypass vulnerability in End-of-Life small business routers

12.01.23

Threat Intelligence Alerts

Description:

Cisco has published a security advisory warning of a critical vulnerability in multiple End-Of-Life (EoL) routers that could allow a remote attacker to bypass authentication or execute arbitrary commands within the device. The advisory contains details of two vulnerabilities, which Cisco has noted are not dependent on each other for an attacker to gain access to the device successfully.

The first vulnerability tracked as CVE-2023-20025, is present within the web-based management interface of Cisco Small Business routers (specifically versions RV016, RV042, RV042G, and RV082) and could allow for an unauthenticated, remote attacker to bypass authentication.

The vulnerability is due to a flaw in the validation process of user input within incoming HTTP packets. The vulnerability can be exploited by sending a crafted HTTP request to the web-based management interface. If successful, this attack would allow the attacker to bypass authentication and gain root access, which is the highest level of permissions a user can have on the underlying operating system of the router.

The second vulnerability, tracked as CVE-2023-20026, is also within the web-based management interface and affects the same routers, as mentioned previously. Once again, the vulnerability is also due to improper validation of user input within incoming HTTP packets and is exploited by sending a specially crafted HTTP request to the web management interface. However, an attacker would need valid administrative credentials on the targeted device to exploit this vulnerability successfully, but if successful, exploitation would allow the attacker to gain root-level privileges and access unauthorised data.

Mitigations:

As the affected devices stopped receiving software maintenance in January 2021, Cisco has confirmed that there will be no software updates to patch the vulnerabilities. Cisco has also detailed that there are no workarounds to address these vulnerabilities; however, administrators can mitigate the bugs by disabling remote management and blocking access to ports 443 and 60443 on the affected routers. They have noted that the routers will still be accessible through the LAN interface after implementing the mitigation.

Cisco has provided the following steps to disable remote management and block port access:

To disable remote management on an affected router:

To block access to ports 443 and 60443:

Firstly, add a new service to the access rules of the device for port 60443. Cisco has said that it is not necessary to create a service for port 443 as it is predefined in the services list. To do this:

Next, create access rules to block ports 443 and 60443. To create an access rule to block port 443, do the following:

To create an access rule to block port 60443, repeat the preceding steps, but for Step 5, choose HTTPS (TCP 60443-60443) from the Service drop-down list.

Note: If a second WAN port is being used, two additional ACL rules need to be set up using the WAN number and IP address for the second WAN port.

Related Links:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbr042-multi-vuln-ej76Pke5 – Published 11th January

https://www.bleepingcomputer.com/news/security/cisco-warns-of-auth-bypass-bug-with-public-exploit-in-eol-routers/ – Published 11^th January