Summary:
Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router management interface are prone to an unauthenticated, remote code execution. Improper validation of user-supplied data in the web-based management interface is the vulnerability.
Description:
For Cisco RV110/RV130/RV215 ,the web-based management interface is available through a local LAN connection or the remote management feature. One with administrator rights can open the web-based management interface and choose Basic Settings > Remote Management to check remote management is enabled for the device or not.
At, Qualys labs we have tried to generate a QID# 13430 that takes care of this vulnerability.
A POC is available. According to POC, the signature checks for the router information into the main GET request to the page that determines “router.appname=”RVxxxW Wireless-AC VPN Firewall“; “ . This implies to all the affected products mentioned below that falls under CVE-2019-1663.
Affected Products:
- Cisco RV110W Wireless-N VPN Firewall
- Cisco RV130W Wireless-N Multifunction VPN Router
- Cisco RV215W Wireless-N VPN Router
Advisory:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex
Mitigation:
Cisco fixed this vulnerability in the following releases:
- RV110W Wireless-N VPN Firewall: 1.2.2.1
- RV130W Wireless-N Multifunction VPN Router: 1.0.3.45
- RV215W Wireless-N VPN Router: 1.3.1.1
Qualys customers can scan their network with QID#13430 to detect vulnerable assets. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.
References & Sources:
- https://packetstormsecurity.com/files/152507/Cisco-RV130W-Routers-Management-Interface-Remote-Command-Execution.html
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1663