Old Cisco routers won’t be patched against RCE bug

By on
Old Cisco routers won&#8217;t be patched against RCE bug

Remote management needs to be blocked.

Cisco has disclosed two critical vulnerabilities in a number of small business routers, along with high-severity vulnerabilities in three other products.

In its first patch release for 2023, the networking giant said its RV016, RV042, RV042G and RV082 routers are vulnerable to an authentication bypass bug (CVE-2023-20025) and a remote command execution (RCE) bug (CVE-2023-20026).

The authentication bypass can be exploited by sending crafted HTTP packets to the management interface, giving the attacker root access to the target system.

The RCE bug is similar, but can only be exploited by a remote attacker who has admin credentials on the affected system.

Cisco said it is aware of proof-of-concept code for the vulnerabilities.

The affected units are approaching end-of-life and won’t be patched. However, admins can disable remote management and block access to TCP/IP ports 443 and 60443.

Cisco’s IP Phone 7800 and 8800 series need patching against CVE-2023-20018, a high-severity bug in remote management that gives unauthenticated, remote attackers access to parts of the web interface that would normally require authentication.

The company’s Industrial Network Director software is subject to two high-severity vulnerabilities.

CVE-2023-20037 allows attackers to execute stored cross-site scripting attacks.

Cisco’s advisory attributes the vulnerability to “improper validation of content that is submitted to the affected application”, and said it “could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information”.

CVE-2023-20038 is a static private key in the software’s monitoring application. A local, authenticated attacker could use that key “decrypt local data or access remote systems monitored by Cisco IND”.

Two Broadworks platforms, the application delivery platform and the Xtended services platform, need patching against CVE-2023-20020, a denial of service vulnerability.

An input validation error would allow a remote, unauthenticated attacker send a “sustained stream of crafted requests” to their target. 

“A successful exploit could allow the attacker to cause all subsequent requests to be dropped, resulting in a DoS condition”, the advisory stated.

The company also disclosed a further 10 medium-severity vulnerabilities in a range of products.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
ciscocvenetworkingsecurityvulnerabilities

Sponsored Whitepapers

Adjusting to a New Era in Ransomware Risk
Adjusting to a New Era in Ransomware Risk
The Total Economic Impact&#8482; Of Juniper Connected Security
The Total Economic Impact™ Of Juniper Connected Security
State of Ransomware Report 2022
State of Ransomware Report 2022
Conquering the IT Challenges of Remote and Hybrid Work
Conquering the IT Challenges of Remote and Hybrid Work
Forrester Study APAC: Don&#8217;t Just Educate, Create Cybersafe Behaviour
Forrester Study APAC: Don’t Just Educate, Create Cybersafe Behaviour

Events

Most Read Articles

Rackspace customer data taken in 'PLAY' ransomware attack

Rackspace customer data taken in 'PLAY' ransomware attack
Fire Rescue Victoria staff data may have been breached in attack

Fire Rescue Victoria staff data may have been breached in attack
Python's PyPI registry suffers another supply-chain attack

Python's PyPI registry suffers another supply-chain attack
Microsoft sends security admins their first gift for 2023

Microsoft sends security admins their first gift for 2023

Digital Nation

Case study: Transurban uses automation to detect road incidents
Case study: Transurban uses automation to detect road incidents
Case Study: How HCF reengaged its customers through data and analytics
Case Study: How HCF reengaged its customers through data and analytics
Meta threatens to take news off its platform in the US. Yep, we're here again
Meta threatens to take news off its platform in the US. Yep, we're here again
Cover Story: The business of gaming will reshape marketing, technology
Cover Story: The business of gaming will reshape marketing, technology
Case study: How La Trobe University sets its data students up for success
Case study: How La Trobe University sets its data students up for success

Log In

  |  Forgot your password?