Update your Cisco Small Business (Linksys) routers
Security advisories have recently been released by CISA and Cisco (CVE-2021-1472 and CVE-2021-1459) for multiple vulnerabilities ranging from high to critical severity, impacting many of Cisco’s RV-series small business routers.
These routers evolved from Linksys’ business product line, and they’ve been used by small businesses globally for more than a decade. When they first came out, they were extremely popular as a low-cost VPN gateway solution to enable remote workers.
CVE-2021-1459, with a critical CVSS score of 9.8, is a remote code execution vulnerability due to an input validation flaw on a few older (and end-of-life) RV models. In the advisory, Cisco said they wouldn’t be patching and recommended disabling remote management as the only mitigation that doesn’t involve updating to the current RV models...
That leads us to CVE-2021-1472, which is a high-scoring authentication bypass vulnerability affecting a few of the latest models in the RV series, and Cisco has released a patch for these.
At the time of posting, a quick Shodan search identifies over 300 potentially vulnerable routers in organizations from over 20 countries (and curiously, over 100 of them in Australia). We only looked for devices with default hostnames running vulnerable versions, so this is likely a small fraction of the actual vulnerable population.
So:
If you have an older RV-series router, disable remote management now, and then it’s probably time to upgrade.
If you have a current generation RV-series router, get the latest firmware from Cisco immediately.
If you’re a developer - these were a couple more examples of remote code execution (RCE) vulnerabilities caused by flaws in memory management, input validation, and implementation of least privilege throughout an application. These flaws (and the rest of the CWE Top 25 Most Dangerous Software Weaknesses) should be avoided by design, and can be found in automated testing if they slip through the cracks. It’s always better (and cheaper) to avoid security flaws during development than to fix them in production!