The Cisco RVS4000 and WRVS4400N Gigabit Security Routers contain three web management interface vulnerabilities:
Retrieval of the configuration file
If an administrator of the device has previously created a backup of the configuration, using Administration --> Backup & Restore --> Backup, it is possible for a remote unauthenticated user to access the backup configuration file. This file contains all configuration parameters of the device, including the HTTP authentication password and VPN pre-shared-keys (PSKs).
Root operating system arbitrary command injection by an authenticated attacker
A user who is authenticated to the device can inject arbitrary commands into the underlying operating system with root privileges, via the ping test and traceroute test parameters.
Retrieval of admin SSL certificate private key
The admin SSL certificate private and public keys can be retrieved (used for Quick VPN) by a remote unauthenticated user.
Successful exploitation of the vulnerabilities may result in execution of arbitrary commands on the device by an authenticated user or retrieval of configuration files and private keys by an unauthenticated user. The configuration files contain sensitive information in text, such as the HTTP passwords and PSKs. The retrieval of the certificates may aid in further attacks.
Workaround:
The following mitigations help limit the exposure to these vulnerabilities.
Disable remote management.
Caution: Do not disable remote management if you manage the device via the WAN connection. Doing so will result in loss of management connectivity to the device.
Remote Management is disabled by default. If it is enabled, administrators can disable it using the Firewall > Basic Settings screen. Change the setting for the field "Remote Management" to "Disabled".
Disabling remote management limits the exposure of the vulnerabilities to those on the local LAN.
Limit remote management access to specific IP addresses.
If remote management is required, harden the device so that it can be accessed only by certain IP addresses, rather than the default setting of "any". By entering the configuration screen at Firewall --> Basic Settings, an administrator can change the Remote IP address field to ensure only devices with the specified IP addresses can access the device.
The following mitigation can help limit the exposure to the vulnerability "Retrieval of the configuration file".
Remove all backup configuration files from the device.
Rebooting the device after performing a configuration backup, will remove the configuration file from the system so that it can not be retrieved by an unauthenticated user.
Disclosure Timeline:
Revision 1.1 2011-Jun-16 Modified software table to indicate that First Fixed release for RVS4000v1 is 1.3.3.5.
Revision 1.0 2011-May-25 Initial public release.
