M-M-M-MONSTER KILL: Cisco's bug-wranglers swat 29 in single week
Replace those end-of-life VPN devices, they won't be patched
Cisco has taken delivery of a bulk order for 29 Common Vulnerabilities and Exposures (CVEs) IDs.
If you're running the end-of-life RV110 Wireless-N VPN firewall or RV215W Wireless-N VPN router, bad news: some of their security vulnerabilities won't be patched and there's no workaround – so it is probably time to replace them.
Those are listed in one of two new critical-rated CVEs, the other of which Cisco fixed without your help.
Users don't need to take any action about the now-patched authentication bug in Cisco's Umbrella API (CVE-2018-0435), but that's not the case for various RV-Series routers.
The management interfaces of the RV110W, RV130W and RV215W kit have a buffer overrun (CVE-2018-0423) that leaves them vulnerable to remote attackers.
As the advisory stated: "The vulnerability is due to improper boundary restrictions on user-supplied input in the Guest user feature of the web-based management interface. An attacker could exploit this vulnerability by sending malicious requests to a targeted device, triggering a buffer overflow condition."
The Guest feature is disabled in the devices' default configuration.
Cisco has patched the RV130W Wireless-N Multifunction VPN router's firmware.
If you're running either the RV110W Wireless-N VPN firewall or RV215W Wireless-N VPN router, configure it to disable the Guest feature because Cisco already had those units on its end-of-life list.
As for the other 27 patches, 13 are rated as "High" priority and the rest are "Medium".
As well as the buffer overrun, the aforementioned routers' admin interface also has:
- A directory traversal bug (CVE-2018-0426)
- A command injection bug (CVE-2018-0424) only patched in the RV130W and with no workaround for the other two products
- An information disclosure vulnerability (CVE-2018-0425) also unpatched in the RV130W and RV215W units
Cisco's vulnerability announcements also list high-rated bugs in various Webex products, Cisco's SD-WAN Solution, and management products; and there are 14 bugs rated "Medium".
Four older announcements relating to Apache Struts, FragmentSmack, SegmentSmack and an Orchestrator snafu were updated with expanded product lists. Enjoy. ®