SB2018020815 - Multiple vulnerabilities in Cisco RV132W and RV134W VPN Routers

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2018-0127)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists in the web interface of Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers due to the absence of user authentication requirements for certain pages that are part of the web interface and contain confidential information. A remote attacker can send a specially crafted HTTP request, examine the HTTP response to the request and view configuration parameters, including the administrator password, for the affected device.

2) Improper input validation (CVE-ID: CVE-2018-0125)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists in the web interface of Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers due to an incomplete input validation on user-controlled input in an HTTP request. A remote attacker can send a specially crafted HTTP request and cause the device to crash or execute arbitrary code with root privileges.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Install update from vendor's website.

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-rv13x_2
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-rv13x