ID CVE-2021-1147 Type cve Reporter cve@mitre.org Modified 2021-01-15T15:52:00
Description
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device. Cisco has not released software updates that address these vulnerabilities.
{"id": "CVE-2021-1147", "bulletinFamily": "NVD", "title": "CVE-2021-1147", "description": "Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device. Cisco has not released software updates that address these vulnerabilities.", "published": "2021-01-13T22:15:00", "modified": "2021-01-15T15:52:00", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1147", "reporter": "cve@mitre.org", "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-command-inject-LBdQ2KRN"], "cvelist": ["CVE-2021-1147"], "type": "cve", "lastseen": "2021-02-02T07:55:04", "edition": 4, "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "cisco", "idList": ["CISCO-SA-RV-COMMAND-INJECT-LBDQ2KRN"]}, {"type": "threatpost", "idList": ["THREATPOST:30D70449EF03FFC5099B5B141FA079E2"]}], "modified": "2021-02-02T07:55:04", "rev": 2}, "score": {"value": 3.1, "vector": "NONE", "modified": "2021-02-02T07:55:04", "rev": 2}, "twitter": {"counter": 1, "modified": "2021-01-15T12:42:02", "tweets": [{"link": "https://twitter.com/threatintelctr/status/1350115292974821377", "text": " NEW: CVE-2021-1147 Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to inject arbit... (click for more) Severity: HIGH https://t.co/PUVpZBQmXt?amp=1"}]}, "vulnersScore": 3.1}, "cpe": ["cpe:/o:cisco:rv215w_wireless-n_vpn_router_firmware:1.2.2.8", "cpe:/o:cisco:rv130w_firmware:1.2.2.8", "cpe:/o:cisco:rv130w_firmware:1.3.1.7", "cpe:/a:cisco:application_extension_platform:1.0.3.55", "cpe:/o:cisco:rv215w_wireless-n_vpn_router_firmware:1.3.1.7", "cpe:/o:cisco:rv110w_firmware:1.2.2.8", "cpe:/o:cisco:rv130_vpn_router_firmware:1.3.1.7", "cpe:/o:cisco:rv110w_firmware:1.3.1.7", "cpe:/o:cisco:rv130_vpn_router_firmware:1.2.2.8"], "affectedSoftware": [{"cpeName": "cisco:rv130w_firmware", "name": "cisco rv130w firmware", "operator": "eq", "version": "1.2.2.8"}, {"cpeName": "cisco:application_extension_platform", "name": "cisco application extension platform", "operator": "eq", "version": "1.0.3.55"}, {"cpeName": "cisco:rv110w_firmware", "name": "cisco rv110w firmware", "operator": "eq", "version": "1.3.1.7"}, {"cpeName": "cisco:rv130_vpn_router_firmware", "name": "cisco rv130 vpn router firmware", "operator": "eq", "version": "1.3.1.7"}, {"cpeName": "cisco:rv130w_firmware", "name": "cisco rv130w firmware", "operator": "eq", "version": "1.3.1.7"}, {"cpeName": "cisco:rv215w_wireless-n_vpn_router_firmware", "name": "cisco rv215w wireless-n vpn router firmware", "operator": "eq", "version": "1.2.2.8"}, {"cpeName": "cisco:rv110w_firmware", "name": "cisco rv110w firmware", "operator": "eq", "version": "1.2.2.8"}, {"cpeName": "cisco:rv215w_wireless-n_vpn_router_firmware", "name": "cisco rv215w wireless-n vpn router firmware", "operator": "eq", "version": "1.3.1.7"}, {"cpeName": "cisco:rv130_vpn_router_firmware", "name": "cisco rv130 vpn router firmware", "operator": "eq", "version": "1.2.2.8"}], "affectedConfiguration": [{"cpeName": "cisco:rv110w", "name": "cisco rv110w", "operator": "eq", "version": "-"}, {"cpeName": "cisco:rv215w_wireless-n_vpn_router", "name": "cisco rv215w wireless-n vpn router", "operator": "eq", "version": "-"}, {"cpeName": "cisco:rv130w", "name": "cisco rv130w", "operator": "eq", "version": "-"}, {"cpeName": "cisco:rv130_vpn_router", "name": "cisco rv130 vpn router", "operator": "eq", "version": "-"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:cisco:application_extension_platform:1.0.3.55:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:h:cisco:rv130w:-:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:cisco:rv130w_firmware:1.2.2.8:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:cisco:rv130w_firmware:1.3.1.7:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}], "operator": "AND"}, {"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:h:cisco:rv130_vpn_router:-:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:cisco:rv130_vpn_router_firmware:1.3.1.7:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:cisco:rv130_vpn_router_firmware:1.2.2.8:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}], "operator": "AND"}, {"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:o:cisco:rv215w_wireless-n_vpn_router_firmware:1.3.1.7:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:cisco:rv215w_wireless-n_vpn_router_firmware:1.2.2.8:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:h:cisco:rv215w_wireless-n_vpn_router:-:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "AND"}, {"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:o:cisco:rv110w_firmware:1.3.1.7:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:cisco:rv110w_firmware:1.2.2.8:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:h:cisco:rv110w:-:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "AND"}]}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, "cpe23": ["cpe:2.3:o:cisco:rv110w_firmware:1.3.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130_vpn_router_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:application_extension_platform:1.0.3.55:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130_vpn_router_firmware:1.3.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv215w_wireless-n_vpn_router_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv110w_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130w_firmware:1.3.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130w_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv215w_wireless-n_vpn_router_firmware:1.3.1.7:*:*:*:*:*:*:*"], "cwe": ["CWE-77"], "scheme": null, "extraReferences": [{"name": "20210113 Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface Command Injection Vulnerabilities", "refsource": "CISCO", "tags": ["Vendor Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-command-inject-LBdQ2KRN"}]}
{"cisco": [{"lastseen": "2021-01-13T16:27:04", "bulletinFamily": "software", "cvelist": ["CVE-2021-1146", "CVE-2021-1147", "CVE-2021-1148", "CVE-2021-1149", "CVE-2021-1150"], "description": "Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges.\n\nThe vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device.\n\nCisco has not released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-command-inject-LBdQ2KRN [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-command-inject-LBdQ2KRN\"]", "modified": "2021-01-13T16:00:00", "published": "2021-01-13T16:00:00", "id": "CISCO-SA-RV-COMMAND-INJECT-LBDQ2KRN", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-command-inject-LBdQ2KRN", "type": "cisco", "title": "Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface Command Injection Vulnerabilities", "cvss": {"score": 7.2, "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "threatpost": [{"lastseen": "2021-01-15T21:53:22", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472", "CVE-2021-1144", "CVE-2021-1146", "CVE-2021-1147", "CVE-2021-1148", "CVE-2021-1149", "CVE-2021-1150", "CVE-2021-1237"], "description": "A high-severity flaw in Cisco\u2019s smart Wi-Fi solution for retailers could allow a remote attacker to alter the password of any account user on affected systems.\n\nThe vulnerability is part of a number of patches issued by Cisco addressing 67 high-severity CVEs on Wednesday. This included flaws found in Cisco\u2019s AnyConnect Secure Mobility Client, as well as Cisco RV110W, RV130, RV130W, and RV215W small business routers.\n\nThe most serious flaw afflicts Cisco Connected Mobile Experiences (CMX), [a software solution](<https://developer.cisco.com/site/cmx-mobility-services/>) that is utilized by retailers to provide business insights or on-site customer experience analytics. The solution uses the Cisco wireless infrastructure to collect a treasure trove of data from the retailer\u2019s Wi-Fi network, including real-time customer-location tracking.\n\n[](<https://threatpost.com/2020-reader-survey/161168/>)\n\nFor instance, if a customer connects to the Wi-Fi network of a store that utilizes CMX, retailers can track their locations within the venue, observe their behavior, and deliver special offers or promotions to them-while they\u2019re there.\n\nThe vulnerability (CVE-2021-1144) is [due to incorrect handling of authorization checks](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmxpe-75Asy9k>) for changing a password. The flaw ranks 8.8 out of 10 on the CVSS vulnerability-severity scale, making it high severity. Of note, to exploit the flaw, an attacker must have an authenticated CMX account \u2013 but would not need administrative privileges.\n\n\u201cAn authenticated attacker without administrative privileges could exploit this vulnerability by sending a modified HTTP request to an affected device,\u201d said Cisco. \u201cA successful exploit could allow the attacker to alter the passwords of any user on the system, including an administrative user, and then impersonate that user.\u201d\n\nAdmins have a [variety of privileges](<https://www.cisco.com/c/en/us/td/docs/wireless/mse/10-4/cmx_config/b_cg_cmx104/performing_administrative_tasks.html#concept_AF709E7ABE064E73B8C052BD9EB0FD1A>), including the ability to use File Transfer Protocol (FTP) commands for backing up and restoring data on Cisco CMX and gaining access to credentials (in order to unlock users who have been locked out of their accounts).\n\nThis vulnerability affects Cisco CMX releases 10.6.0, 10.6.1, and 10.6.2; the issue is patched in Cisco CMX releases 10.6.3 and later.\n\n## **Other High-Severity Flaws**\n\n[Another high-severity flaw](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-injec-pQnryXLf>) (CVE-2021-1237) exists in the Cisco AnyConnect Secure Mobility Client for Windows. AnyConnect Secure Mobility Client, a modular endpoint software product, provides a wide range of security services (such as remote access, web security features and roaming protection) for endpoints.\n\nThe flaw allows attackers \u2013 if they are authenticated and local \u2013 to perform a dynamic-link library (DLL) injection attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system, Cisco said.\n\n\u201cAn attacker could exploit this vulnerability by inserting a configuration file in a specific path in the system which, in turn, causes a malicious DLL file to be loaded when the application starts,\u201d according to Cisco. \u201cA successful exploit could allow the attacker to execute arbitrary code on the affected machine with system privileges.\u201d\n\nSixty of those CVEs [exist in in the web-based management interface](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-overflow-WUnUgv4U>) of Cisco Small Business RV110W, RV130, RV130W and RV215W routers. These flaws could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.\n\n\u201cAn attacker could exploit these vulnerabilities by sending crafted HTTP requests to an affected device,\u201d according to Cisco. \u201cA successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a denial-of-service (DoS) condition.\u201d\n\nAnd, five more CVEs (CVE-2021-1146, CVE-2021-1147, CVE-2021-1148, CVE-2021-1149 and CVE-2021-1150) in the Cisco Small Business RV110W, RV130, RV130W, and RV215W routers [could allow an authenticated, remote attacker](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-command-inject-LBdQ2KRN>) to inject arbitrary commands that are executed with root privileges.\n\nOf note, Cisco said it would not release software updates for the Cisco Small Business RV110W, RV130, RV130W and RV215W routers, as they have reached end of life.\n\n\u201cCisco has not released and will not release software updates to address the vulnerabilities described in this advisory,\u201d according to Cisco. \u201cThe Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process.\u201d\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** _Is your company\u2019s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a [limited-engagement and LIVE Threatpost webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>). CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: **[Register Now](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)** and reserve a spot for this exclusive Threatpost [Supply-Chain Security webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>) \u2013 Jan. 20, 2 p.m. ET._\n", "modified": "2021-01-13T21:22:01", "published": "2021-01-13T21:22:01", "id": "THREATPOST:30D70449EF03FFC5099B5B141FA079E2", "href": "https://threatpost.com/cisco-flaw-cmx-software-retailers/163027/", "type": "threatpost", "title": "High-Severity Cisco Flaw Found in CMX Software For Retailers", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
