Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cisco Security Advisory

Undocumented Test Interface in Cisco Small Business Devices

Advisory ID: cisco-sa-20140110-sbd

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140110-sbd

Revision 1.5

Last Updated  2014 April 23 18:22  UTC (GMT)

For Public Release 2014 January 10 16:00  UTC (GMT)


Summary

A vulnerability in the Cisco WAP4410N Wireless-N Access Point, Cisco WRVS4400N Wireless-N Gigabit Security Router, and the Cisco RVS4000 4-port Gigabit Security Router could allow an unauthenticated, remote attacker to gain root-level access to an affected device.

Note: Additional research performed by Mr. Eloi Vanderbeken during April 2014 seems to indicate that some products may be affected by another vulnerability, introduced while fixing the original "TCP port 32764 Undocumented Test Interface" vulnerability. Cisco has confirmed the undocumented test interface has been completely removed by the firmware images listed in this advisory and cannot be re-enabled in the Cisco WAP4410N Wireless-N Access Point, Cisco WRVS4400N Wireless-N Gigabit Security Router, and the Cisco RVS4000 4-port Gigabit Security Router.

Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are not available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140110-sbd

Affected Products

In March, 2013, Linksys was divested from Cisco and is now part of Belkin. For questions regarding all Linksys products, please contact the Belkin Incident Response Team at security@belkin.com.

Vulnerable Products

The following products are affected by the vulnerabilities that are described in this advisory:
  • Cisco RVS4000 4-port Gigabit Security Router running firmware version 2.0.3.2 and prior
  • Cisco WRVS4400N Wireless-N Gigabit Security Router hardware version 1.0 and 1.1 running firmware version 1.1.13 and prior
  • Cisco WRVS4400N Wireless-N Gigabit Security Router hardware version 2.0 running firmware version 2.0.2.1 and prior
  • Cisco WAP4410N Wireless-N Access Point running firmware version 2.0.6.1 and prior

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by these vulnerabilities.

Details

A vulnerability in the Cisco WAP4410N Wireless-N Access Point, Cisco WRVS4400N Wireless-N Gigabit Security Router, and the Cisco RVS4000 4-port Gigabit Security Router could allow an unauthenticated, remote attacker to gain root-level access to an affected device. This vulnerability can be triggered from the LAN interfaces of the Cisco WRVS4400N Wireless-N Gigabit Security Router and the Cisco RVS4000 4-port Gigabit Security Router from the wireless LAN (WLAN) and the LAN interfaces of the Cisco WAP4410N Wireless-N Access Point.

This vulnerability is due to an undocumented test interface in the TCP service listening on port 32764 of the affected device. An attacker could exploit this vulnerability by accessing the affected device from the LAN-side interface and issuing arbitrary commands in the underlying operating system. An exploit could allow the attacker to access user credentials for the administrator account of the device, and read the device configuration. The exploit can also allow the attacker to issue arbitrary commands on the device with escalated privileges.

This vulnerability is documented in Cisco bug ID CSCum37566 (registered customers only) for the Cisco WAP4410N Wireless-N Access Point; Cisco bug IDs CSCum43693 (registered customers only) and CSCum43700 (registered customers only) for the WRVS4400N Wireless-N Gigabit Security Router; and Cisco bug ID CSCum43685 (registered customers only) for the Cisco RVS4000 4-port Gigabit Security Router. This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2014-0659.

Vulnerability Scoring Details

Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response.

Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks.

Cisco has provided additional information regarding CVSS at the following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss


CSCum37566 - Undocumented Test Interface in Cisco Small Business WAP4410N

Calculate the environmental score of CSCum37566

CVSS Base Score - 10.0

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

Complete

Complete

Complete

CVSS Temporal Score - 10.0

Exploitability

Remediation Level

Report Confidence

High

Unavailable

Confirmed




CSCum43685 - Undocumented Test Interface in Cisco Small Business RVS4000

Calculate the environmental score of CSCum43685

CVSS Base Score - 10.0

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

Complete

Complete

Complete

CVSS Temporal Score - 10.0

Exploitability

Remediation Level

Report Confidence

High

Unavailable

Confirmed




CSCum43693 and CSCum43700 - Undocumented Test Interface in Cisco Small Business WRVS4400N

Calculate the environmental score of CSCum43693 and CSCum43700

CVSS Base Score - 10.0

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

Complete

Complete

Complete

CVSS Temporal Score - 10.0

Exploitability

Remediation Level

Report Confidence

High

Unavailable

Confirmed


Impact

Successful exploitation of the vulnerabilities described in this document could allow an unauthenticated, remote attacker to execute arbitrary commands on the device with elevated privileges. This could cause the device to become unresponsive or cause the device configuration to restore to the factory default.

Software Versions and Fixes

Cisco has released free software updates for the WAP4410N and WRVS4400N that address the vulnerabilities described in this advisory at the following links:

Cisco WAP4410N Wireless-N Access Point firmware version 2.0.7.4

Cisco WRVS4400N Wireless-N Gigabit Security Router hardware version 2.0 firmware version 2.0.2.2

Cisco RVS4000 4-port Gigabit Security Router firmware version 2.0.3.4

When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Workarounds

There are no known workarounds that mitigate these vulnerabilities.

Obtaining Fixed Software

Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments.

Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html.

Customers with Service Contracts

Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Navigator on Cisco.com at http://www.cisco.com/cisco/software/navigator.html.

Customers Using Third-Party Support Organizations

Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action.

The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Small Business Support Center (SBSC):
  • +1 866 606 1866 (toll free from within North America)
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should contact the SBSC.

Refer to Cisco Small Business Support Center contact number at http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and email addresses for support in various languages.

Exploitation and Public Announcements

The vulnerability discussed in this document has been publicly disclosed and public exploit code is available. The Cisco Product Security Incident Response Team (PSIRT) is not aware of any widespread exploitation at this time.

Eloi Vanderbeken publicly disclosed this vulnerability via his github page: https://github.com/elvanderb/TCP-32764

Matthew1471! reported this vulnerability to Cisco. Cisco would like to thank him for notifying the Cisco PSIRT.

Status of This Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Distribution

This advisory is posted on Cisco Security Intelligence Operations at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140110-sbd

Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following email addresses:
  • cust-security-announce@cisco.com
  • first-bulletins@lists.first.org
  • bugtraq@securityfocus.com
  • vulnwatch@vulnwatch.org
  • cisco@spot.colorado.edu
  • cisco-nsp@puck.nether.net
  • full-disclosure@lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates.

Revision History

Revision 1.5 2014-April-23 Added NOTE regarding new vulnerability information to the Summary section.
Revision 1.4 2014-March-14 Added download link for RVS4000 firmware version 2.0.3.4 to "Software Versions and Fixes."
Revision 1.3 2014-January-28 Added fixed software version information. Added Cisco Small Business Support Center contact information.
Revision 1.2 2014-January-24 Fixed broken hyperlink in "Summary" section.
Revision 1.1 2014-January-10 Updated Affected Products section to add Belkin Incident Response Team contact information.
Revision 1.0 2014-January-10 Initial public release.

Cisco Security Procedures

Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt.
Download this document (PDF)
View Printable Version