A vulnerability in the Cisco WAP4410N Wireless-N Access Point, Cisco WRVS4400N Wireless-N Gigabit Security Router, and the Cisco RVS4000 4-port Gigabit Security Router could allow an unauthenticated, remote attacker to gain root-level access to an affected device. Note: Additional research performed by Mr. Eloi Vanderbeken during April 2014 seems to indicate that some products may be affected by another vulnerability, introduced while fixing the original "TCP port 32764 Undocumented Test Interface" vulnerability. Cisco has confirmed the undocumented test interface has been completely removed by the firmware images listed in this advisory and cannot be re-enabled in the Cisco WAP4410N Wireless-N Access Point, Cisco WRVS4400N Wireless-N Gigabit Security Router, and the Cisco RVS4000 4-port Gigabit Security Router. Cisco has released software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140110-sbd
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.Cisco WAP4410N Wireless-N Access Point firmware version 2.0.7.4
Cisco WRVS4400N Wireless-N Gigabit Security Router hardware version 2.0 firmware version 2.0.2.2
Cisco RVS4000 4-port Gigabit Security Router firmware version 2.0.3.4
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 1.5 | 2014-April-23 | Added NOTE regarding new vulnerability information to the Summary section. |
Revision 1.4 | 2014-March-14 | Added download link for RVS4000 firmware version 2.0.3.4 to "Software Versions and Fixes." |
Revision 1.3 | 2014-January-28 | Added fixed software version information. Added Cisco Small Business Support Center contact information. |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.