On January 10th, Cisco confirmed an undocumented backdoor in several of their small business routers which "could allow an unauthenticated, remote attacker to gain root-level access to an affected device.
This vulnerability is due to an undocumented test interface in the TCP service listening on port 32764 of the affected device. An attacker could exploit this vulnerability by accessing the affected device from the LAN-side interface and issuing arbitrary commands in the underlying operating system. An exploit could allow the attacker to access user credentials for the administrator account of the device, and read the device configuration. The exploit can also allow the attacker to issue arbitrary commands on the device with escalated privileges.
Cisco indicated that they will be releasing free updates for the affected product. I have to admit that I can't help myself but to laugh when I read their official title for this one, "Undocumented Test Interface in Cisco Small Business Devices". A test interface?
The products in question are:
- Cisco RVS4000 4-port Gigabit Security Router running firmware version 22.214.171.124 and prior
- Cisco WRVS4400N Wireless-N Gigabit Security Router hardware version 1.0 and 1.1 running firmware version 1.1.13 and prior
- Cisco WRVS4400N Wireless-N Gigabit Security Router hardware version 2.0 running firmware version 126.96.36.199 and prior
- Cisco WAP4410N Wireless-N Access Point running firmware version 188.8.131.52 and prior
It was interesting to note that Cisco was quick to point out that they had divested themselves of the Linksys line. Belkin took over the Linksys brand from Cisco in March 2013.
For those of you wondering if there is affected versions in the Linksys line, Cisco advises that people reach out to Belkin directly via 'security @ belkin.com'. I'd point readers to their security page directly but, for whatever reason I couldn't find such an animal. I will go out on a limb and posit that this issue probably exists in some of the products that Belkin inherited.
The significant downside to this announcement is that a wide swath of these devices will remain unpatched for the foreseeable future. These are typically deployed in smaller businesses that lack the proper IT related support to remedy the issue.
So why might you ask am I writing about this now? Well, for the simple reason that this could potentially put hundreds of small businesses at risk by virtue of the fact that they will not have the aforementioned support. I'm concerned that this could still be an exposure that we will be able to find in a year from now.
Hope springs nonetheless.
[Update] It appears that this problem affects a little more than I first thought at first blush. Here is a link for more on this story (h/t SB)