urlscan.io logo urlscan.io
SecurityTrails logo

blog.malwarebytes.com Open in urlscan Pro
130.211.198.3  Public Scan

Back to summary
Submitted URL: http://go2.malwarebytes.com/ODA1LVVTRy0zMDAAAAF_rRW_u3mHd9TsCVdnD0BIHMpyCm6p8n46q0QgLp6XNOoluj2PkvfVIxPk0ZtK4GkeqaqqgR8=
Effective URL: https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/cisco-small-business-routers-vulnerable-to-remote-attacks-w...
Submission: On September 22 via api from US — Scanned from DE

Form analysis 3 forms found in the DOM

<form><span class="fieldset">
    <p><input type="checkbox" value="check" id="chkMain" checked="checked" class="legacy-group-status optanon-status-checkbox"><label for="chkMain">Active</label></p>
  </span></form>

GET 

<form id="search-form" onsubmit="submitSearchrightrail(event)" method="get">
  <div class="searchbar-wrap-rightrail">
    <label for="cta-labs-rightrail-search-submit-en" aria-label="cta-labs-rightrail-search-submit-en" aria-labelledby="cta-labs-rightrail-search-submit-en">
      <input type="text" id="st-search-input-rightrail" class="st-search-input-rightrail" placeholder="Search Labs">
    </label>
    <button type="submit" id="cta-labs-rightrail-search-submit-en" aria-label="Submit your search query"><span class=""><img src="https://blog.malwarebytes.com/wp-content/themes/mb-labs-theme-3.5.13/images/search.svg" alt="Magnifying glass"></span>
    </button>
  </div>
</form>

//www.malwarebytes.com/newsletter/

<form class="newsletter-form form-inline" action="//www.malwarebytes.com/newsletter/" _lpchecked="1">
  <div class="email-input">
    <label for="cta-footer-newsletter-input-email-en" aria-label="cta-footer-newsletter-input-email-en" aria-labelledby="cta-footer-newsletter-input-email-en">
      <input type="text" class="email-input-field" id="cta-footer-newsletter-input-email-en" name="email" placeholder="Email address">
    </label>
    <input name="source" type="hidden" value="">
    <input type="submit" class="submit-bttn" id="cta-footer-newsletter-subscribe-email-en" value="">
  </div>
</form>

Text Content

Who doesn't like cookies?

We use cookies to help us enhance your online experience. If that sounds good,
click “Accept All Cookies” or review our Privacy and Cookie Policy.


Close
Accept All Cookies


 * Your Privacy

 * Strictly Necessary Cookies

 * Performance Cookies

 * Functional Cookies

 * Targeting Cookies

 * More Information

Privacy Preference Center

Active

Always Active



Save Settings

Allow All

The official Malwarebytes logo The official Malwarebytes logo in a blue font B

We research. You level up.

       
Personal
Personal
 * Security & Antivirus
 * Malwarebytes for Windows
 * Malwarebytes for Mac
 * Malwarebytes for Chromebook
 * Malwarebytes Browser Guard
 * Overview

 * Security & Antivirus for Mobile
 * Malwarebytes for Android
 * Malwarebytes for iOS
 * Online Privacy
 * Malwarebytes Privacy VPN

 * Get Started
 * Explore all Personal Products
 * Explore Pricing

 * FREE TRIAL OF MALWAREBYTES PREMIUM
   
   Protect your devices, your data, and your privacy—at home or on the go.
   
   Get free trial

Business
Business
   Solutions
 * BY COMPANY SIZE
 * Small Business
    1-99 Employees 
 * Mid-size Businesses
    100-999 Employees
 * Large Enterprise
    1000+ Empoyees
 * BY INDUSTRY
 * Education
 * Finance
 * Healthcare

   Products
 * NEXT-GEN ANTIVIRUS FOR SMALL BUSINESSES
 * For Teams
 * ENTERPRISE-CLASS PROTECTION, DETECTION, AND REMEDIATION
 * Endpoint Protection
 * Endpoint Detection & Response
 * Incident Response
 * Remediation for CrowdStrike®
 * ADVANCED SERVER PROTECTION
 * Endpoint Protection for Servers
 * Endpoint Detection & Response for Servers
 * CLOUD-BASED SECURITY MANAGEMENT AND SERVICES PLATFORM
 * Nebula

 * Get Started
 *  * Find the right solution for your business
    * See business pricing
   
   --------------------------------------------------------------------------------
   
    * Don't know where to start?
    * Help me choose a product
   
   --------------------------------------------------------------------------------
   
    * See what Malwarebytes can do for you
    * Get a free trial
   
   --------------------------------------------------------------------------------
   
    * Our team is ready to help. Call us now
    * +1-800-520-2796

Pricing
Partners
Partners
 * Explore Partnerships

 * Partner Solutions
 * Resellers
 * Managed Service Providers
 * Computer Repair
 * Technology Partners

 * Partner Success Story
 * Marek Drummond
   Managing Director at Optimus Systems
   
   "Thanks to the Malwarebytes MSP program, we have this high-quality product in
   our stack. It’s a great addition, and I have confidence that customers’
   systems are protected."

 * See full story

Resources
Resources
 * Learn About Cybersecurity
 * Antivirus
 * Malware
 * Ransomware
 * See all
 * Malwarebytes Labs
 * Explore

 * Business Resources
 * Reviews
 * Analyst Reports
 * Case Studies
 * See all
 * Press & News
 * Learn more

 * Events
 * 
   
   
   
   Featured Event: RSA 2021

 * See Event

Support
Support
 * Technical Support
 * Support
 * Premium Services
 * Forums
 * Vulnerability Disclosure

 * Training for Personal Products
 * Training for Business Products

 * Featured Content
 * 
   
   
   
   Activate Malwarebytes Privacy on Windows device.

 * See Content

FREE DOWNLOAD
CONTACT US
COMPANY
Company
 * About Malwarebytes
 * Careers
 * News & Press

SIGN IN
Sign In
 * My Account
 * Cloud Console
 * Partner Portal

SUBSCRIBE


Exploits and vulnerabilities


CISCO SMALL BUSINESS ROUTERS VULNERABLE TO REMOTE ATTACKS, WON’T GET A PATCH

Posted: August 19, 2021 by Pieter Arntz
Last updated: August 20, 2021

Some older Cisco routers have a serious vulnerability that won't be getting a
patch. Time to buy a new router.

In a security advisory, Cisco has informed users that a vulnerability in the
Universal Plug-and-Play (UPnP) service of Cisco Small Business RV110W, RV130,
RV130W, and RV215W routers could allow an unauthenticated, remote attacker to
execute arbitrary code or cause an affected device to restart unexpectedly,
resulting in a denial of service (DoS) condition.

Normally we’d say “patch now”, but you can’t, and you’ll never be able to
because a patch isn’t coming.


CVE-2021-34730

Publicly disclosed computer security flaws are listed in the Common
Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to
share data across separate vulnerability capabilities (tools, databases, and
services). This vulnerability is listed under CVE-2021-34730. As a result of
improper validation of incoming UPnP traffic an attacker could exploit this
vulnerability by sending a crafted UPnP request to an affected device.

A successful exploit could allow the attacker to execute arbitrary code as the
root user on the underlying operating system, or cause the device to reload,
resulting in a DoS condition. “Executing arbitrary code as the root user” is
tantamount to “do whatever they like”, which is bad. A CVSS score of 9.8 out of
10 bad. (CVSS can help security teams and developers prioritize threats and
allocate resources effectively.)


UPNP

Universal Plug and Play (UPnP) is a set of networking protocols that permit
networked devices, like routers, to seamlessly discover each other’s presence on
a network and establish functional network services.

From that description alone it should be clear that, from a security point of
view, this protocol has no place on an Internet-facing device. Once you have set
up your connections to the internal devices there is no reason to leave UPnP
enabled. There are plenty of reasons to disable it.

A lot of the problems associated with UPnP-based threats can be linked back to
security issues during implementation. Router manufacturers historically have
not been very good at securing their UPnP implementations, which often leads to
the router not checking input properly. Which is exactly what happened here.
Again.

And then there are vulnerabilities in UPnP itself. The most famous one probably
is CallStranger, which was caused by the Callback header value in UPnP’s
SUBSCRIBE function that can be controlled by an attacker and enables a
vulnerability which affected millions of Internet-facing devices.

That particular vulnerability should have been patched by most vendors by now by
the way. But CVE-2021-34730 won’t be, here’s why…


NO PATCH

The affected routers have entered the end-of-life process and so Cisco has not
released software updates to fix the problem. According to the security
advisory, it seems they have no plans to do so either:

“Cisco has not released and will not release software updates to address the
vulnerability described in this advisory.” Cisco also says it is not aware of
any malicious use of the vulnerability.

Since there are no workarounds that address this vulnerability, the only choice
that administrators have is to disable the affected feature (UPnP). Or buy a new
router. Since the routers won’t receive any updates for issues in future either,
we suggest you do both: Disable UPnP now, and buy a new router soon.


MITIGATION

For owners of the affected routers it is particularly important to check that
UPnP is disabled both on the WAN and the LAN interface. The WAN interface is set
to off by default but that doesn’t mean it hasn’t been changed since. The LAN
interface is set to on by default and needs to be turned off. Cisco advises that
to disable UPnP on the LAN interface of a device, you do the following:

 * Open the web-based management interface and choose Basic Settings > UPnP.
 * Check the Disable check box.

It is important to disable UPnP on both interfaces because that is the only way
to eliminate the vulnerability.

Stay safe, everyone!


RELATED

SHARE THIS ARTICLE

--------------------------------------------------------------------------------

COMMENTS



--------------------------------------------------------------------------------

RELATED ARTICLES

--------------------------------------------------------------------------------

ABOUT THE AUTHOR

Pieter Arntz
Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four
languages. Smells of rich mahogany and leather-bound books.


Contributors


Threat Center


Glossary


Scams


Write for Labs

CYBERSECURITY INFO YOU CAN'T DO WITHOUT

Want to stay informed on the latest news in cybersecurity? Sign up for our
newsletter and learn how to protect your computer from threats.



Imagine a world without malware. We do.

FOR PERSONAL

FOR BUSINESS

COMPANY

ABOUT US

CAREERS

NEWS AND PRESS

MY ACCOUNT

SIGN IN

CONTACT US

GET SUPPORT

CONTACT SALES

3979 Freedom Circle, 12th Floor
Santa Clara, CA 95054
One Albert Quay, 2nd Floor
Cork T12 X8N6
Ireland

   English
Legal
Privacy
Accessibility
Terms of Service


© 2021 All Rights Reserved

Select your language

 * English
 * Deutsch
 * Español
 * Français
 * Italiano
 * Português (Portugal)
 * Português (Brasil)
 * Nederlands
 * Polski
 * Pусский
 * 日本語
 * Svenska

Cybersecurity basics

Your intro to everything relating to cyberthreats, and how to stop them.