Cisco fixes a critical flaw in CISCO CVR100W Wireless-N VPN Small Business Routers

Cisco released a firmware update to fix a critical buffer overflow vulnerability in CISCO CVR100W Wireless-N VPN Small Business Routers.

Cisco has released a firmware update to fix a critical vulnerability in its CVR100W Wireless-N VPN routers.

The flaw, tracked as CVE-2017-3882, can be exploited by attackers to trigger a denial-of-service (DoS) condition and execute arbitrary code with root privileges.

The CVE-2017-3882 vulnerability was discovered by researchers from the Chinese GeekPwn hacker group. The company said there was no evidence of malicious exploitation.

The good news is that CISCO revealed that there was no evidence of exploitation of the flaw in the wild.

“A vulnerability in the Universal Plug-and-Play (UPnP) implementation in the Cisco CVR100W Wireless-N VPN Router could allow an unauthenticated, Layer 2–adjacent attacker to execute arbitrary code or cause a denial of service (DoS) condition. The remote code execution could occur with root privileges.” reads the CISCO security advisory.

The vulnerability resides in the Universal Plug and Play (UPnP) implementation of the CVR100W Wireless-N VPN routers.

The exploitation of the flaw is quite simple, an attacker can trigger the vulnerability by sending a specially crafted request to the UPnP listening port of the router.

“The vulnerability is due to incomplete range checks of the UPnP input data, which could result in a buffer overflow. An attacker could exploit this vulnerability by sending a malicious request to the UPnP listening port of the targeted device. An exploit could allow the attacker to cause the device to reload or potentially execute arbitrary code with root privileges.” continues the analysis.

The flaw affects CVR100W Wireless-N VPN routers running a version of the firmware prior to 1.0.1.22, no other small business routers are affected.

Administrators can determine which firmware release is running on their routers by logging in to the web interface using the http(s)://system-ip access URL.

Below there is an example included in the advisory, in this the router is running Firmware Release 1.0.1.21.

Cisco Small Business
CVR100W Wireless-N VPN Router
Version 1.0.1.21

The CVR100W Wireless-N VPN routers are also affected by a medium severity bug that can be exploited by an unauthenticated attacker to bypass the remote management ACL. This flaw was fixed with the release of version 1.0.1.24.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CISCO CVR100W routers, hacking)

[adrotate banner=”13″]