A vulnerability in the Universal Plug-and-Play (UPnP) service of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to improper validation of incoming UPnP traffic. An attacker could exploit this vulnerability by sending a crafted UPnP request to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition. Cisco has not released software updates that address this vulnerability.
{"id": "CVE-2021-34730", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-34730", "description": "A vulnerability in the Universal Plug-and-Play (UPnP) service of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to improper validation of incoming UPnP traffic. An attacker could exploit this vulnerability by sending a crafted UPnP request to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition. Cisco has not released software updates that address this vulnerability.", "published": "2021-08-18T20:15:00", "modified": "2022-10-27T12:46:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34730", "reporter": "psirt@cisco.com", "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-sb-rv-overflow-htpymMB5"], "cvelist": ["CVE-2021-34730"], "immutableFields": [], "lastseen": "2022-10-27T14:49:52", "viewCount": 56, "enchantments": {"dependencies": {"references": [{"type": "avleonov", "idList": ["AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34"]}, {"type": "cisco", "idList": ["CISCO-SA-CISCO-SB-RV-OVERFLOW-HTPYMMB5"]}, {"type": "githubexploit", "idList": ["95E65640-89C6-5DB4-B529-A64D409A4913"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1F038DB7EFBB36EF80C56CAFA6D41B90"]}, {"type": "thn", "idList": ["THN:0B1D114F0E9F363E39DF54A7DB4324F9"]}, {"type": "threatpost", "idList": ["THREATPOST:C8634F1B5CFC8DD331BF849C669F1AFB"]}], "rev": 4}, "score": {"value": 6.3, "vector": "NONE"}, "twitter": {"counter": 19, "modified": "2021-08-21T08:51:12", "tweets": [{"link": "https://twitter.com/UITSEC/status/1431207200735825927", "text": "/hashtag/Cisco?src=hashtag_click Eski Cihazlardaki Zafiyetleri Gidermeyecek: CVE-2021-34730\n\n9.8 cvss puan\u0131 ile de\u011ferlendirilen zafiyetin UPnP hizmetinden kaynakland\u0131\u011f\u0131 tespit edildi.\n\nKullan\u0131m \u00f6mr\u00fcn\u00fc dolduran cihazlarda ortaya \u00e7\u0131kan zafiyetin giderilmeyece\u011fi a\u00e7\u0131kland\u0131.\n/hashtag/UITSEC?src=hashtag_click /hashtag/cybersecuritynews?src=hashtag_click"}, {"link": "https://twitter.com/PatrickCMiller/status/1429552712438493187", "text": "Cisco will not patch critical flaw CVE-2021-34730 in EoF routers"}, {"link": "https://twitter.com/6townstechteam/status/1430074939692961804", "text": "Cisco Small Business Routers Remote Command Execution & Denial of Service Vulnerability [CVE-2021-34730]"}, {"link": "https://twitter.com/SystemTek_UK/status/1430074936509538305", "text": "Cisco Small Business Routers Remote Command Execution & Denial of Service Vulnerability [CVE-2021-34730]"}, {"link": "https://twitter.com/YourAnonRiots/status/1428669919567118338", "text": "/hashtag/Cisco?src=hashtag_click has informed its customers that it will not provide a patch for a newly discovered critical /hashtag/vulnerability?src=hashtag_click (CVE-2021-34730) affecting its small business routers as the devices reach the end of their lifecycle.\n\n https://t.co/lwDuxf1HRD?amp=1\n/hashtag/infosec?src=hashtag_click /hashtag/cybersecurity?src=hashtag_click"}, {"link": "https://twitter.com/boannews/status/1428558069206716426", "text": "[\uc694\uc810\ub9cc \uac04\ub2e8\ud55c \uc544\uce68] \uc2dc\uc2a4\ucf54, CVE-2021-34730 \ud328\uce58\ud558\uc9c0 \uc54a\ub294\ub2e4"}, {"link": "https://twitter.com/misaelban/status/1429687691168391168", "text": "/hashtag/cisco?src=hashtag_click no parcheara a los rutadores /hashtag/VPN?src=hashtag_click que hayan cumplido su vida \u00fatil. CVE-2021-34730. /CiscoNoticias /hashtag/CyberSecurity?src=hashtag_click /hashtag/infosec?src=hashtag_click /hashtag/hacking?src=hashtag_click /hashtag/Pentesting?src=hashtag_click #@CVEnew /CVEannounce"}, {"link": "https://twitter.com/PSantavy/status/1429707617623060482", "text": "Cisco will not patch critical flaw CVE-2021-34730 in EoF routers\nhttps://t.co/UMSxmyoklW?amp=1\n/hashtag/CVE?src=hashtag_click-2021-34730\nSo, workaround is to disable UPnP on both the LAN and WAN interface.\n/hashtag/Ciscou?src=hashtag_click /hashtag/vulnerability?src=hashtag_click /hashtag/hacking?src=hashtag_click /hashtag/cybersecurity?src=hashtag_click /hashtag/cybersec?src=hashtag_click"}, {"link": "https://twitter.com/auscsec/status/1429586475012689921", "text": "Cisco will not patch critical flaw CVE-2021-34730 (CVSS score of 9.8) in small business RV110W, RV130, RV130W, and RV215W routers. \nIt recommends to disable UPnP on both the LAN and WAN interfaces of their devices."}, {"link": "https://twitter.com/ipssignatures/status/1428854865875374081", "text": "It is the first time for me to know a protection/signature/rule for the vulnerability CVE-2021-34730.\n/hashtag/Sfxag346jfs3fq?src=hashtag_click"}]}, "backreferences": {"references": [{"type": "avleonov", "idList": ["AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34"]}, {"type": "cisco", "idList": ["CISCO-SA-CISCO-SB-RV-OVERFLOW-HTPYMMB5"]}, {"type": "githubexploit", "idList": ["95E65640-89C6-5DB4-B529-A64D409A4913"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1F038DB7EFBB36EF80C56CAFA6D41B90"]}, {"type": "thn", "idList": ["THN:0B1D114F0E9F363E39DF54A7DB4324F9"]}, {"type": "threatpost", "idList": ["THREATPOST:C8634F1B5CFC8DD331BF849C669F1AFB"]}]}, "exploitation": null, "vulnersScore": 6.3}, "_state": {"dependencies": 1666883163, "score": 1666882381, "affected_software_major_version": 1671597168}, "_internal": {"score_hash": "5159ff1838913746f90f3a5613e670e2"}, "cna_cvss": {"cna": "Cisco Systems, Inc.", "cvss": {"3": {"vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8}}}, "cpe": ["cpe:/o:cisco:rv110w_wireless-n_vpn_firewall_firmware:-", "cpe:/o:cisco:rv130_vpn_router_firmware:-", "cpe:/o:cisco:rv130w_wireless-n_multifunction_vpn_router_firmware:-", "cpe:/o:cisco:rv215w_wireless-n_vpn_router_firmware:-", "cpe:/a:cisco:application_extension_platform:1.0.3.55"], "cpe23": ["cpe:2.3:o:cisco:rv130w_wireless-n_multifunction_vpn_router_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv215w_wireless-n_vpn_router_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130_vpn_router_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv110w_wireless-n_vpn_firewall_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:application_extension_platform:1.0.3.55:*:*:*:*:*:*:*"], "cwe": ["CWE-787"], "affectedSoftware": [{"cpeName": "cisco:application_extension_platform", "version": "1.0.3.55", "operator": "eq", "name": "cisco application extension platform"}, {"cpeName": "cisco:rv110w_wireless-n_vpn_firewall_firmware", "version": "-", "operator": "eq", "name": "cisco rv110w wireless-n vpn firewall firmware"}, {"cpeName": "cisco:rv130_vpn_router_firmware", "version": "-", "operator": "eq", "name": "cisco rv130 vpn router firmware"}, {"cpeName": "cisco:rv130w_wireless-n_multifunction_vpn_router_firmware", "version": "-", "operator": "eq", "name": "cisco rv130w wireless-n multifunction vpn router firmware"}, {"cpeName": "cisco:rv215w_wireless-n_vpn_router_firmware", "version": "-", "operator": "eq", "name": "cisco rv215w wireless-n vpn router firmware"}], "affectedConfiguration": [{"name": "cisco rv110w wireless-n vpn firewall", "cpeName": "cisco:rv110w_wireless-n_vpn_firewall", "version": "-", "operator": "eq"}, {"name": "cisco rv130 vpn router", "cpeName": "cisco:rv130_vpn_router", "version": "-", "operator": "eq"}, {"name": "cisco rv130w wireless-n multifunction vpn router", "cpeName": "cisco:rv130w_wireless-n_multifunction_vpn_router", "version": "-", "operator": "eq"}, {"name": "cisco rv215w wireless-n vpn router", "cpeName": "cisco:rv215w_wireless-n_vpn_router", "version": "-", "operator": "eq"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:cisco:application_extension_platform:1.0.3.55:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:cisco:rv110w_wireless-n_vpn_firewall_firmware:-:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:h:cisco:rv110w_wireless-n_vpn_firewall:-:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}, {"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:cisco:rv130_vpn_router_firmware:-:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:h:cisco:rv130_vpn_router:-:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}, {"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:cisco:rv130w_wireless-n_multifunction_vpn_router_firmware:-:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:h:cisco:rv130w_wireless-n_multifunction_vpn_router:-:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}, {"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:cisco:rv215w_wireless-n_vpn_router_firmware:-:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:h:cisco:rv215w_wireless-n_vpn_router:-:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}]}, "extraReferences": [{"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-sb-rv-overflow-htpymMB5", "name": "20210818 Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Remote Command Execution and Denial of Service Vulnerability", "refsource": "CISCO", "tags": ["Vendor Advisory"]}]}
{"cisco": [{"lastseen": "2022-12-22T12:14:24", "description": "A vulnerability in the Universal Plug-and-Play (UPnP) service of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition.\n\nThis vulnerability is due to improper validation of incoming UPnP traffic. An attacker could exploit this vulnerability by sending a crafted UPnP request to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition.\n\nCisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-sb-rv-overflow-htpymMB5 [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-sb-rv-overflow-htpymMB5\"]", "cvss3": {}, "published": "2021-08-18T16:00:00", "type": "cisco", "title": "Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Remote Command Execution and Denial of Service Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-34730"], "modified": "2021-08-18T16:00:00", "id": "CISCO-SA-CISCO-SB-RV-OVERFLOW-HTPYMMB5", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-sb-rv-overflow-htpymMB5", "cvss": {"score": 9.8, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "githubexploit": [{"lastseen": "2022-05-18T10:59:05", "description": "# Cisco RV110W UPnP 0day \u5206\u6790\n\n# \u524d\u8a00\n\n\u6700\u8fd1UPnP\u6bd4\u8f83\u706b\uff0c\u6070\u597d\u624b\u91cc\u6709\u4e00\u53f0Cisco RV110W...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-30T11:21:04", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Cisco Application Extension Platform", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34730"], "modified": "2022-05-18T10:14:44", "id": "95E65640-89C6-5DB4-B529-A64D409A4913", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "thn": [{"lastseen": "2022-05-09T12:39:13", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjGZxTcYnkXh6HDVDSZkRgT1ih3facMYGJel-0ujHKyQ8ezAnyb3Dd3no9pCiXfcSQw9hmPDL-URQy1LkFV4JaCrFP6Gl4RVb_dsI-iwJRcIxDcw1WY-2oTqdi6HnpwnhLJz8I2sPLCCDZP45h4SjVZQLYlQ-bzcgd0czHvKFMNfDV-X4_3hNU-4qFb>)\n\nA critical vulnerability in Cisco Small Business Routers will not be patched by the networking equipment giant, since the devices reached end-of-life in 2019.\n\nTracked as **CVE-2021-34730** (CVSS score: 9.8), the issue resides in the routers' Universal Plug-and-Play (UPnP) service, enabling an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition.\n\nThe vulnerability, which the company said is due to improper validation of incoming UPnP traffic, could be abused to send a specially-crafted UPnP request to an affected device, resulting in remote code execution as the root user on the underlying operating system.\n\n\"Cisco has not released and will not release software updates to address the vulnerability,\" the company [noted](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-sb-rv-overflow-htpymMB5>) in an advisory published Wednesday. \"The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have [entered the end-of-life process](<https://www.cisco.com/c/en/us/products/collateral/routers/small-business-rv-series-routers/eos-eol-notice-c51-742771.pdf>). Customers are encouraged to migrate to the Cisco Small Business RV132W, RV160, or RV160W Routers.\"\n\nThe issue impacts the following products \u2014\n\n * RV110W Wireless-N VPN Firewalls\n * RV130 VPN Routers\n * RV130W Wireless-N Multifunction VPN Routers\n * RV215W Wireless-N VPN Routers\n\nIn the absence of a patch, Cisco recommends customers to disable UPnP on the LAN interface. Quentin Kaiser of IoT Inspector Research Lab has been credited with reporting the vulnerability.\n\n\"All too often, after a system or service is replaced, the legacy system or service is left running 'just in case' it is needed again. The problem lies in the fact that \u2014 like in the case of this vulnerability in the Universal Plug-and-Play service \u2014 the legacy system or service is usually not kept up to date with security updates or configurations,\" said Dean Ferrando, systems engineer manager (EMEA) at Tripwire.\n\n\"This makes it an excellent target for bad actors, which is why organizations that are still using these old VPN routers should immediately take actions to update their devices. This should be part of an overall effort to harden systems across the entire attack surface, which helps to safeguard the integrity of digital assets and protect against vulnerabilities and common security threats which may be leveraged as entry points,\" Ferrando added.\n\nCVE-2021-34730 marks the second time the company has followed the approach of not releasing fixes for end-of-life routers since the start of the year. Earlier this April, Cisco urged users to upgrade their routers as a countermeasure to resolve a similar remote code execution bug ([CVE-2021-1459](<https://thehackernews.com/2021/04/cisco-will-not-patch-critical-rce-flaw.html>)) affecting RV110W VPN firewall and Small Business RV130, RV130W, and RV215W routers.\n\nIn addition, Cisco has also issued an alert for a [critical BadAlloc flaw](<https://thehackernews.com/2021/08/badalloc-flaw-affects-blackberry-qnx.html>) impacting BlackBerry QNX Real-Time Operating System (RTOS) that came to light earlier this week, [stating](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qnx-TOxjVPdL>) that the company is \"investigating its product line to determine which products and services may be affected by this vulnerability.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-20T06:47:00", "type": "thn", "title": "Critical Flaw Found in Older Cisco Small Business Routers Won't Be Fixed", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1459", "CVE-2021-34730"], "modified": "2021-08-20T10:10:52", "id": "THN:0B1D114F0E9F363E39DF54A7DB4324F9", "href": "https://thehackernews.com/2021/08/critical-flaw-found-in-older-cisco.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2021-08-21T10:09:07", "description": "In a [security advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-sb-rv-overflow-htpymMB5>), Cisco has informed users that a vulnerability in the Universal Plug-and-Play (UPnP) service of Cisco Small Business RV110W, RV130, RV130W, and RV215W routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition.\n\nNormally we'd say "patch now", but you can't, and you'll never be able to because a patch isn't coming.\n\n### CVE-2021-34730\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed under [CVE-2021-34730](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34730>). As a result of improper validation of incoming UPnP traffic an attacker could exploit this vulnerability by sending a crafted UPnP request to an affected device. \n\nA successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system, or cause the device to reload, resulting in a DoS condition. "Executing arbitrary code as the root user" is tantamount to "do whatever they like", which is bad. A CVSS score of 9.8 out of 10 bad. (CVSS can help security teams and developers prioritize threats and allocate resources effectively.)\n\n### UPnP\n\nUniversal Plug and Play (UPnP) is a set of networking protocols that permit networked devices, like routers, to seamlessly discover each other's presence on a network and establish functional network services.\n\nFrom that description alone it should be clear that, from a security point of view, this protocol has no place on an Internet-facing device. Once you have set up your connections to the internal devices there is no reason to leave UPnP enabled. There are plenty of reasons to disable it.\n\nA lot of the problems associated with UPnP-based threats can be linked back to security issues during implementation. Router manufacturers [historically](<https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=upnp>) have not been very good at securing their UPnP implementations, which often leads to the router not checking input properly. Which is exactly what happened here. Again.\n\nAnd then there are vulnerabilities in UPnP itself. The most famous one probably is [CallStranger](<https://www.helpnetsecurity.com/2020/06/09/cve-2020-12695/>), which was caused by the Callback header value in UPnP\u2019s SUBSCRIBE function that can be controlled by an attacker and enables a vulnerability which affected millions of Internet-facing devices.\n\nThat particular vulnerability should have been patched by most vendors by now by the way. But CVE-2021-34730 won't be, here's why\u2026\n\n### No patch\n\nThe affected routers have entered the [end-of-life process](<https://www.cisco.com/c/en/us/products/collateral/routers/small-business-rv-series-routers/eos-eol-notice-c51-742771.pdf>) and so Cisco has not released software updates to fix the problem. According to the security advisory, it seems they have no plans to do so either:\n\n\u201cCisco has not released and will not release software updates to address the vulnerability described in this advisory.\u201d Cisco also says it is not aware of any malicious use of the vulnerability.\n\nSince there are no workarounds that address this vulnerability, the only choice that administrators have is to disable the affected feature (UPnP). Or buy a new router. Since the routers won't receive any updates for issues in future either, we suggest you do both: Disable UPnP now, and buy a new router soon.\n\n### Mitigation\n\nFor owners of the affected routers it is particularly important to check that UPnP is disabled both on the WAN and the LAN interface. The WAN interface is set to off by default but that doesn't mean it hasn't been changed since. The LAN interface is set to on by default and needs to be turned off. Cisco advises that to disable UPnP on the LAN interface of a device, you do the following:\n\n * Open the web-based management interface and choose Basic Settings > UPnP.\n * Check the Disable check box.\n\nIt is important to disable UPnP on both interfaces because that is the only way to eliminate the vulnerability.\n\nStay safe, everyone!\n\nThe post [Cisco Small Business routers vulnerable to remote attacks, won't get a patch](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/cisco-small-business-routers-vulnerable-to-remote-attacks-wont-get-a-patch/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 4.7}, "published": "2021-08-19T20:29:09", "type": "malwarebytes", "title": "Cisco Small Business routers vulnerable to remote attacks, won\u2019t get a patch", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 7.8, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-12695", "CVE-2021-34730"], "modified": "2021-08-19T20:29:09", "id": "MALWAREBYTES:1F038DB7EFBB36EF80C56CAFA6D41B90", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/cisco-small-business-routers-vulnerable-to-remote-attacks-wont-get-a-patch/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-08-21T09:44:44", "description": "A critical security vulnerability in Cisco Small Business Routers (RV110W, RV130, RV130W and RV215W models) allows remote code execution (RCE) and denial of service (DoS). The networking giant said that no patch or workaround will be coming for the bug, since the routers reached end-of-life back in 2019.\n\nThe bug ([CVE-2021-34730](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-sb-rv-overflow-htpymMB5>)) is one of six addressed by Cisco this week; it also issued an advisory for the critical BlackBerry QNX-2021-001 vulnerability unveiled earlier this week (CVE-2021-22156), which affects multiple vendors, well beyond Cisco.\n\n## **Patch Denied: Critical RCE for EoL Gear**\n\nThe critical router issue, which carries a base CVSS score of 9.8 out of 10, affects the hardware\u2019s Universal Plug-and-Play (UPnP) service, Cisco said. It could allow an unauthenticated attacker to achieve RCE or cause an affected device to restart unexpectedly.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\n\u201cThis vulnerability is due to improper validation of incoming UPnP traffic,\u201d according to the advisory. \u201cAn attacker could exploit this vulnerability by sending a crafted UPnP request to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition.\u201d\n\nThe issue affects a range of Cisco Wireless-N and Wireless-AC VPN routers, which [reached end-of-life](<https://www.cisco.com/c/en/us/products/collateral/routers/small-business-rv-series-routers/eos-eol-notice-c51-742771.html>) in September of 2019. Cisco stopped issuing bug fixes on Dec. 1 of last year. Affected companies should look to update their hardware to avoid compromise.\n\nThe other critical flaw addressed in the updates has to do with the BlackBerry QNX-2021-001 bug [disclosed this week](<https://threatpost.com/blackberrys-qnx-devices-attacks/168772/>), which allows threat actors to take over or launch DoS attacks on devices and critical infrastructure. Essentially, the known group of BadAlloc bugs tied to BlackBerry\u2019s embedded QNX operating system (OS) now affects older devices.\n\nCisco\u2019s advisory simply states, \u201cCisco is investigating its product line to determine which products and services may be affected by this vulnerability.\u201d So far, no products have been listed.\n\n## **Medium-Severity Security Bugs in Cisco Gear**\n\nThe remaining five patches are all rated medium in severity, and affect products from across Cisco\u2019s portfolio. These bugs are:\n\n * [CVE-2021-34749](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sni-data-exfil-mFgzXqLN>): Server Name Identification (SNI) Data-Exfiltration Vulnerability (Cisco Web Security Appliance (WSA), Cisco Firepower Threat Defense (FTD), Snort Detection Engine)\n * [CVE-2021-1561](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-spam-jPxUXMk>): Spam Quarantine Unauthorized-Access Vulnerability (Cisco Secure Email and Web Manager)\n * [CVE-2021-34734](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipcamera-lldp-dos-OFP7j9j>): Double-Free Denial-of-Service Vulnerability (Cisco Video Surveillance 7000 Series IP Cameras Link Layer Discovery Protocol)\n * [CVE-2021-34715](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewver-c6WZPXRx>): Image-Verification Vulnerability (Cisco Expressway Series and TelePresence Video Communication Server)\n * [CVE-2021-34716](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewrce-QPynNCjh>): RCE Vulnerability (Cisco Expressway Series and TelePresence Video Communication Server)\n\nThe first bug could allow an unauthenticated, remote attacker to bypass filtering technology on an affected device to execute a command-and-control attack on a compromised host and perform and exfiltrate data from a compromised host. The advisory is an interim one, and Cisco said it was still investigating which product versions are affected.\n\n\u201cThis vulnerability is due to inadequate filtering of the SSL handshake,\u201d according to the advisory. \u201cAn attacker could exploit this vulnerability by using data from the SSL client hello packet to communicate with an external server.\u201d\n\nThe spam-quarantine-related vulnerability affects Cisco Secure Email and Web Manager releases earlier than Release 14.1. It could allow an authenticated, remote attacker to gain unauthorized access and modify the spam quarantine settings of another user, so that malicious messages could get through or attackers could read messages.\n\n\u201cThis vulnerability exists because access to the spam quarantine feature is not properly restricted,\u201d according to the advisory. \u201cAn attacker could exploit this vulnerability by sending malicious requests to an affected system.\u201d\n\nThe third bug exists in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Video Surveillance 7000 Series IP Cameras with firmware release 2.12.4. Exploitation could allow an unauthenticated, adjacent attacker to cause a DoS condition.\n\n\u201cThis vulnerability is due to improper management of memory resources, referred to as a double free,\u201d according to Cisco. \u201cAn attacker could exploit this vulnerability by sending crafted LLDP packets to an affected device.\u201d\n\nThe last two vulnerabilities exist in the Expressway and TelePresence products and can be exploited by authenticated, remote attackers to execute code.\n\nThe first of these allows RCE with internal user privileges on the underlying operating system; it affects users running a release earlier than the first fixed release (the bug was introduced when support for validation of SHA512 checksums was introduced in Release X8.8).\n\nThe second allows RCE on the underlying operating system as the root user. It affects releases earlier than the first fixed release if users are running Release X8.6 or later.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-08-19T20:34:42", "type": "threatpost", "title": "Critical Cisco RCE Bug in Small Business Routers to Remain Unpatched", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1561", "CVE-2021-22156", "CVE-2021-34715", "CVE-2021-34716", "CVE-2021-34730", "CVE-2021-34734", "CVE-2021-34749"], "modified": "2021-08-19T20:34:42", "id": "THREATPOST:C8634F1B5CFC8DD331BF849C669F1AFB", "href": "https://threatpost.com/critical-cisco-bug-routers-unpatched/168831/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2021-11-11T02:42:15", "description": "Hello everyone! This is a new episode with my comments on the latest Information Security news.\n\n## Exchange ProxyShell\n\nI want to start with something about [attacks on Exchange](<https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html>). ProxyShell is in the news, the LockFile ransomware compromised more than 2000 servers. On the other hand, there is basically nothing to say here.\n\nProxyShell is the name for 3 vulnerabilities. The bulletins for Remote Code Execution [CVE-2021-34473](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473>) and Server Elevation of Privilege [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523>) were released on July 13, but were fixed by April Patch Tuesday patches. Yes, it happens sometimes. The bulletin for Security Feature Bypass [CVE-2021-31207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>) was released on May 11. Users had 4 months to install the updates. Interestingly, 2 out of 3 vulnerabilities have the property "Less likely to be exploited". As you can see, it's pretty useless.\n\nIn addition to these spring vulnerabilities, there was also a set of July vulnerabilities (CVE-2021-31196, CVE-2021-31206, CVE-2021-33768, CVE-2021-34470). It is not yet clear if they will be used in real life attacks. Maybe yes, maybe no. But you need to install patches anyway.\n\nOne thing is clear, Exchange is a great target. It is used almost everywhere. It is a Windows host that is reachable at the perimeter of the network. It's scary to patch it. When the email service stops working, it becomes very noticeable. And keeping Exchange without updates is even worse. Therefore, the only option is to change the infrastructure so that testing and installing the updates should take a minimum of time. The patch released on Tuesday should be ideally installed on Wednesday. Everything else is dangerous. I'm not even talking about the pathologies when the organization continues to use Exchange 2010, for which there are no more updates.\n\n## Zoom RCE\n\nHave you already seen [a nice analysis of a Zoom Remote Code Execution](<https://sector7.computest.nl/post/2021-08-zoom/>), that does not require any user interaction? About two minutes of magic with call/message notifications and a calculator window appears on the target host. Very cool and effective.\n\nAnd here it should be noted that Zoom does not force updates. To update you need to go to Settings and click the "Check for Updates" button. I had version 2.7.4 and Zoom was not showing any notifications. After clicking on "Check for Updates", Zoom has updated to 2.7.6. Forced updates are not configurable in any way via the GUI, but in a corporate environment it seems like it can be enabled [using group policies](<https://support.zoom.us/hc/en-us/articles/360039100051-Group-Policy-Options-for-the-Windows-desktop-client-and-Zoom-Rooms>): EnableClientAutoUpdate, EnableSilentAutoUpdate, AlwaysCheckLatestVersion.\n\n## Citrix Canceled PT Acknowledgments\n\nCool story. [Citrix quietly removed Positive Technologies employees](<https://twitter.com/ptswarm/status/1429797658416328708>) Klyuchnikov and Medov from the acknowledgment sections for [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>) and [CVE-2020-8209](<https://support.citrix.com/article/CTX277457>) vulnerabilities. There was a mention in March, but not in August. Citrix canceled their "thanks", so to speak. And it is clear why - the US sanctions against Positive Technologies. And when Citrix was pointed out and shamed on Twitter, they returned everything back. Also quietly. Well, such cuties, huh? ^_^\n\n## Cisco No Patch Router RCEs\n\nNot news, but an interesting feature of the brave new world. How it used to be: you buy hardware and use it until it breaks. Now any hardware requires constant updating for safe operation. And after a certain moment the vendor shrugs his shoulders and says "sorry, End Of Life". For example, this is how [Cisco responded to the RCE vulnerability CVE-2021-34730](<https://thehackernews.com/2021/08/critical-flaw-found-in-older-cisco.html>) (CVSS score: 9.8) in the UPnP service for SMB routers RV110W, RV130, RV130W and RV215W. [They write that](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-sb-rv-overflow-htpymMB5>) either disable UPnP completely, or throw out the router and buy a new one. On the one hand, UPnP is certainly not secure and you don't need to use it. But come on, this is a legitimate feature, and Cisco doesn't want to fix vulnerabilities in it for not-so-old hardware released in 2011-2013. Moreover, this is not the first RCE in these routers that they do not want to fix, [in April there was CVE-2021-1459 in the admin web interface](<https://thehackernews.com/2021/04/cisco-will-not-patch-critical-rce-flaw.html?m=1>). In terms of functionality, the devices are quite adequate, given that they now cost less than $ 100.\n\n"[The RV130W Wireless-N Router](<https://www.cisco.com/c/en/us/products/routers/rv130w-wireless-n-multifunction-vpn-router/index.html>) offers investment protection as your small business needs evolve. This multifunctional networking device features:\n\n * Gigabit Ethernet connections, including a four-port managed switch\n * USB 3G/4G failover support\n * Built-in, high-speed wireless-N access point\n * IP Security (IPsec) VPN for flexible remote access\n * Support for separate virtual networks and wireless guest access".\n\nAnd formally they are right. But I would like the support period to be longer, and critical vulnerabilities were fixed even after this period, and there was an opportunity to install alternative firmware, and there was mandatory marking when the device "turns into a pumpkin." There is a lot to wish for. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-31T23:16:51", "type": "avleonov", "title": "Security News: Exchange ProxyShell, Zoom RCE, Citrix Canceled PT Acknowledgments, Cisco No Patch Router RCEs", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781", "CVE-2020-8209", "CVE-2021-1459", "CVE-2021-31196", "CVE-2021-31206", "CVE-2021-31207", "CVE-2021-33768", "CVE-2021-34470", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34730"], "modified": "2021-08-31T23:16:51", "id": "AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34", "href": "https://avleonov.com/2021/09/01/security-news-exchange-proxyshell-zoom-rce-citrix-canceled-pt-acknowledgments-cisco-no-patch-router-rces/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
CVE-2021-34730
