Cisco warns of big remote management hole in tiny routers

Filed Under: Featured, Vulnerability

Networking giant Cisco is probably best known for its reassuringly expensive enterprise-grade network kit.

But it also sells consumer products, and even little routers can have giant holes, as Cisco warns in a just-published security advisory.

A range of the company's wireless residential gateways - SoHo routers, to you and me - have remote code execution bugs in their web servers.

Like many routers, the affected models, including the DPC3825 and DPC3925, have a web-based management interface.

According to the manual for the 3825 model, the web interface is only accessible via HTTPS (secure HTTP), whether you are connecting to it from inside or outside, which is a good feature to see.

Sadly, however, a cryptographically secure connection alone doesn't shield your web server code from buffer overflows when it handles the requests it receives.

And that seems to be the problem here, as Cisco explains:

A vulnerability in the web server ... could allow an unauthenticated, remote attacker to exploit a buffer overflow and cause arbitrary code execution.

In simple English, that means a crook could connect to your router via HTTPS and, without entering a username or password, take it over.

Cisco goes one step further and suggests that "[w]orkarounds that mitigate this vulnerability are not available," but the online manual fortunately suggests otherwise.

You can, it seems, simply go to the Administration > Management page in the configuration interface and turn off Remote Management:

That doesn't fix the buffer overflow, of course, but it means that only users already connected to your network from the inside can get at the buggy web server, greatly reducing your risk.

It's not explicit in the manual whether remote administration is on by default, though more than one screenshot shows the option set to Disable, suggesting that it is off to start with.

We'd recommend turning the internet-facing web administration interface off anyway, buffer overflow or not.

Cisco says that a fix is available - the security advisory has more details.

Free Sophos UTM Home Edition

Looking for a full-blown security solution to add to your regular SoHo router?

If you have a spare PC or laptop handy, why not try the Sophos UTM Home Edition?

You get all the features of our commercial product, including: web and email filtering; a network intrusion detection system; full-blown VPN support; and licences to install and manage Sophos Anti-Virus for Windows on up to 12 PCs.

If you are the IT geek in a shared house or have children to keep safe online, this could be just what you need, all for $0.

Click to go to download page...

, , , , ,

You might like

5 Responses to Cisco warns of big remote management hole in tiny routers

  1. Keith · 309 days ago

    why would you even allow management connection via the outside interface either.

    • Jim · 308 days ago

      If the device is maintained by an external entity, it has to be. For example, combination cable-modem and firewall boxes that are managed by the ISP.

      I wouldn't do it that way, but some small businesses aren't technical enough to handle the support.

    • Alexa Kindler · 308 days ago

      Well ... you may have situations in which the upstream is an internal network, too, which in turn connects to a router. You may want to do management from that side in that case.
      This situation is surprisingly more frequent than you think.

    • Paul Ducklin · 308 days ago

      Cisco's manual says, simply, "This feature allows you to access and manage your gateway settings from the Internet when you are away from home."

      Which doesn't answer your (admittedly rhetorical) question, but there you go. Road warriors might like the idea, I suppose. Personally, I'd go for a remote access solution that allowed me to connect inwards using better-audited code designed for remote access, like OpenSSH, rather than exposing a web server of unknown provenance to the vagaries of the entire internet.

  2. Magyver · 305 days ago

    Guess what Paul?

    To get the fix, you have to download a pdf file from an: unsecure http page.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog