Cisco has warned customers that a bug for several of its routers for small and medium businesses (SMBs) could be the target of an attack after observing “ongoing active network scanning” that could be targeting a critical flaw it disclosed at the February.
The critical flaw, CVE-2019-1663, affected the web interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router.
Improper validation of user-supplied data in the web interface could allow “an unauthenticated, remote attacker to execute arbitrary code on an affected device,” according to Cisco.
Cisco has already released fixes on February 27 and its alert means that customers should install them now or risk attackers take control of the vulnerable routers.
“The Cisco Product Security Incident Response Team (PSIRT) is aware of ongoing active network scanning potentially targeting the vulnerability that is described in this advisory,” in a March 6 update.
Although attackers are potentially targeting that flaw, there are also now details about what the flaw was and what caused it.
A day after Cisco released the advisory, Dave Null, a researcher from Pen Test Partners, one of the two parties that reported the bug to Cisco, posted a detailed description of the issue.
Null notes it was a buffer overflow flaw that could be triggered by submitting an overly long value to the password login. Largely responsible for the buffer overflow was the use of notoriously “dangerous” C function ‘strcpy’.
“For strcpy, the length of the string is entirely unimportant. The concept of a size is entirely alien to strcpy,” explained Null.
“When you use strcpy (or one of the many, many other unsafe functions), you are riding the C bicycle without a helmet,” he continues.
“[Y]ou’re taking a pointer to a memory location you’ve previously allocated (and already declared a size for!), and you’re copying the string to that memory. Nothing will stop this string overwriting the bounds of the memory you allocated. That’s why it’s bad.”
Customers should check Cisco’s advisory on how to check for the device us running fixed firmware.