Security bypass in CVR100W Wireless-N VPN Router - CVE-2017-6620
Published: May 5, 2017
Vulnerability identifier: #VU6424
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-6620
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
CVR100W Wireless-N VPN Router
CVR100W Wireless-N VPN Router
Detailed vulnerability description
The vulnerability allows a remote unauthenticated attacker to bypass the remote management ACL.
The weakness exists due to incorrect implementation of the ACL decision made during the ingress connection request to the remote management interface. A remote attacker can connect to the management IP address or domain name of the targeted device and if the Remote Management configuration parameter is Disabled, bypass the configured remote management ACL.
Successful exploitation of the vulnerability results in security bypass.
The weakness exists due to incorrect implementation of the ACL decision made during the ingress connection request to the remote management interface. A remote attacker can connect to the management IP address or domain name of the targeted device and if the Remote Management configuration parameter is Disabled, bypass the configured remote management ACL.
Successful exploitation of the vulnerability results in security bypass.
How to mitigate CVE-2017-6620
Update to version 1.0.1.24.