-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2014-028 Title: Cisco Small Business Router Password Disclosure Vulnerability [1] Version history: 06.03.2014 Initial publication Summary ======= A vulnerability in the web management interface of the Cisco RV110W Wireless-N VPN Firewall, the Cisco RV215W Wireless-N VPN Router, and the Cisco CVR100W Wireless-N VPN Router could allow an unauthenticated, remote attacker to gain administrative-level access to the web management interface of the affected device. CVE numbers: [1] CVE-2014-0683 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) Vulnerable systems ================== The following products are affected by the vulnerability that is described in this advisory: Cisco RV110W Wireless-N VPN Firewall running firmware versions 1.2.0.9 and prior Cisco RV215W Wireless-N VPN Router running firmware versions 1.1.0.5 and prior Cisco CVR100W Wireless-N VPN Router running firmware versions 1.0.1.19 and prior Original Details ================ The vulnerability is due to improper handling of authentication requests by the web framework. An attacker could exploit this vulnerability by intercepting, modifying and resubmitting an authentication request. Successful exploitation of this vulnerability would give an attacker administrative-level access to the web-based administration interface on the affected device. What can you do? ================ There are patches according to the versions. [1] What to tell your users? ======================== N/A More information ================ [1] http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140305-rpd Best regards, CERT-EU (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJTGJBCAAoJEPpzpNLI8SVo8DUQAI2K8jwORgLcVYpqKzbZQjBH EZPg9Hy+bB77XjmLKV6tihNnDJp5rKkRRyzA8q6WzeXR7BEtucn4yvMUpF05AV3S Rd/3Xsja6kWJsW+sUcPrW2Sn0joLo3bdpVSx9arHgxE9DsRLIsxXsIsiZV667JtY StpV+dZcSOT6lALlPXfTobRu9+q8oBEOViwsrVdOhgLfr3mbQNYLE4QShwXIQS3U cf8rYVyixGWj5ayYzCLrGosAChfYGxbd3tcHRn3BgtL5gVbDWq+kjNqRhzLuRZut EbmIuJevxcCv4K88HL5ljF1r337YRdElyp2f04LfVOMCltr4GDAb2WoJSw8xRbt2 SzbmEuJ5b8ZfA299h5XVOS9FQGrDBbetqdbeawNlh+H6G7HEb2aPncnfWH+h0j1d IaQidlg6YnIkcwEfl+oLnpj0QoY9Nm+FNqj0CAbfDUQBoE8sbJGfWDo1WzOqcfyZ 812mevDCM3s2IsPxws2Mc9I15NjRzG52HHY+qTFXdoZ29GHxdLEKFbKT9kHHiirw f6J5DUr3zkVlwHsXWUGaV5s4agfbU/zS/8Mpfb2xvPjWUuOoO2cFkJF/vFVcNXF+ wkPGXdm2L2kSRVaipnZzo4sdO6jkjpn2qNH81dzccARsCFpiOBwV3cNV5gTrk348 AQvnan5P/PhFCbKu68oq =L1Xp -----END PGP SIGNATURE-----