Undocumented Test Interface in Cisco Small Business Devices

Summary

• A vulnerability in the Cisco WAP4410N Wireless-N Access Point, Cisco WRVS4400N Wireless-N Gigabit Security Router, and the Cisco RVS4000 4-port Gigabit Security Router could allow an unauthenticated, remote attacker to gain root-level access to an affected device.
  
  Note: Additional research performed by Mr. Eloi Vanderbeken during April 2014 seems to indicate that some products may be affected by another vulnerability, introduced while fixing the original "TCP port 32764 Undocumented Test Interface" vulnerability. Cisco has confirmed the undocumented test interface has been completely removed by the firmware images listed in this advisory and cannot be re-enabled in the Cisco WAP4410N Wireless-N Access Point, Cisco WRVS4400N Wireless-N Gigabit Security Router, and the Cisco RVS4000 4-port Gigabit Security Router.
  
  Cisco has released software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are not available. This advisory is available at the following link:
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140110-sbd

Affected Products

• In March, 2013, Linksys was divested from Cisco and is now part of Belkin. For questions regarding all Linksys products, please contact the Belkin Incident Response Team at security@belkin.com.

  Vulnerable Products

  The following products are affected by the vulnerabilities that are described in this advisory:

  • Cisco RVS4000 4-port Gigabit Security Router running firmware version 2.0.3.2 and prior
  • Cisco WRVS4400N Wireless-N Gigabit Security Router hardware version 1.0 and 1.1 running firmware version 1.1.13 and prior
  • Cisco WRVS4400N Wireless-N Gigabit Security Router hardware version 2.0 running firmware version 2.0.2.1 and prior
  • Cisco WAP4410N Wireless-N Access Point running firmware version 2.0.6.1 and prior

  Products Confirmed Not Vulnerable

  No other Cisco products are currently known to be affected by these vulnerabilities.

Details

• A vulnerability in the Cisco WAP4410N Wireless-N Access Point, Cisco WRVS4400N Wireless-N Gigabit Security Router, and the Cisco RVS4000 4-port Gigabit Security Router could allow an unauthenticated, remote attacker to gain root-level access to an affected device. This vulnerability can be triggered from the LAN interfaces of the Cisco WRVS4400N Wireless-N Gigabit Security Router and the Cisco RVS4000 4-port Gigabit Security Router from the wireless LAN (WLAN) and the LAN interfaces of the Cisco WAP4410N Wireless-N Access Point.
  
  This vulnerability is due to an undocumented test interface in the TCP service listening on port 32764 of the affected device. An attacker could exploit this vulnerability by accessing the affected device from the LAN-side interface and issuing arbitrary commands in the underlying operating system. An exploit could allow the attacker to access user credentials for the administrator account of the device, and read the device configuration. The exploit can also allow the attacker to issue arbitrary commands on the device with escalated privileges.
  
  This vulnerability is documented in Cisco bug ID CSCum37566 (registered customers only) for the Cisco WAP4410N Wireless-N Access Point; Cisco bug IDs CSCum43693 (registered customers only) and CSCum43700 (registered customers only) for the WRVS4400N Wireless-N Gigabit Security Router; and Cisco bug ID CSCum43685 (registered customers only) for the Cisco RVS4000 4-port Gigabit Security Router. This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2014-0659.

Workarounds

• There are no known workarounds that mitigate these vulnerabilities.

Fixed Software

• Cisco has released free software updates for the WAP4410N and WRVS4400N that address the vulnerabilities described in this advisory at the following links:

  Cisco WAP4410N Wireless-N Access Point firmware version 2.0.7.4
  
  Cisco WRVS4400N Wireless-N Gigabit Security Router hardware version 2.0 firmware version 2.0.2.2
  
  Cisco RVS4000 4-port Gigabit Security Router firmware version 2.0.3.4

  When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
  
  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Exploitation and Public Announcements

• The vulnerability discussed in this document has been publicly disclosed and public exploit code is available. The Cisco Product Security Incident Response Team (PSIRT) is not aware of any widespread exploitation at this time.
  
  Eloi Vanderbeken publicly disclosed this vulnerability via his github page: https://github.com/elvanderb/TCP-32764
  
  Matthew1471! reported this vulnerability to Cisco. Cisco would like to thank him for notifying the Cisco PSIRT.

URL

• http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140110-sbd

Revision History

• Revision 1.5	2014-April-23	Added NOTE regarding new vulnerability information to the Summary section.
  Revision 1.4	2014-March-14	Added download link for RVS4000 firmware version 2.0.3.4 to "Software Versions and Fixes."
  Revision 1.3	2014-January-28	Added fixed software version information. Added Cisco Small Business Support Center contact information.
  Revision 1.2	2014-January-24	Fixed broken hyperlink in "Summary" section.
  Revision 1.1	2014-January-10	Updated Affected Products section to add Belkin Incident Response Team contact information.
  Revision 1.0	2014-January-10	Initial public release.

  Show Complete History...