CVE-2014-0659
published 2014-01-12CVE-2014-0659: The Cisco WAP4410N access point with firmware through 2.0.6.1, WRVS4400N router with firmware 1.x through 1.1.13 and 2.x through 2.0.2.1, and RVS4000 router…
PriorityP181critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
73.83%
99.4th percentile
The Cisco WAP4410N access point with firmware through 2.0.6.1, WRVS4400N router with firmware 1.x through 1.1.13 and 2.x through 2.0.2.1, and RVS4000 router with firmware through 2.0.3.2 allow remote attackers to read credential and configuration data, and execute arbitrary commands, via requests to the test interface on TCP port 32764, aka Bug IDs CSCum37566, CSCum43693, CSCum43700, and CSCum43685.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | rvs4000_firmware | <= 2.0.3.2 | — |
| cisco | rvs4000_firmware | — | — |
| cisco | rvs4000_firmware | — | — |
| cisco | rvs4000_firmware | — | — |
| cisco | rvs4000_firmware | — | — |
| cisco | small_business_devices | — | — |
| cisco | wap4410n_firmware | <= 2.0.6.1 | — |
| cisco | wap4410n_firmware | — | — |
| cisco | wap4410n_firmware | — | — |
| cisco | wap4410n_firmware | — | — |
| cisco | wrvs4400n_firmware | — | — |
| cisco | wrvs4400n_firmware | — | — |
| cisco | wrvs4400n_firmware | — | — |
| cisco | wrvs4400n_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0x53634d4d (ScMM) - Little Endian backdoor magic bytes
bytes↗
0x4d4d6353 (MMcS) - Big Endian backdoor magic bytes
bytes↗
0x53634d4d, 0x07, cmd_length - backdoor command execution struct (LE)
- →Detect inbound TCP connections to port 32764 on network devices (WAP4410N, WRVS4400N, RVS4000); any traffic to this port is suspicious and indicative of backdoor access attempts. ↗
- →Detect TCP payloads beginning with the magic bytes 'MMcS' (Big Endian) or 'ScMM' (Little Endian) on port 32764, which are the SerComm backdoor handshake signatures. ↗
- →Detect TCP payloads on port 32764 containing the 12-byte command structure [0x53634d4d][0x07][cmd_length] followed by arbitrary command text, indicating remote command execution attempts via the SerComm backdoor. ↗
- →Use the Metasploit auxiliary scanner module 'scanner/misc/sercomm_backdoor_scanner' to identify vulnerable SerComm-based devices on the network. ↗
- ·The backdoor test interface listens on TCP port 32764 and is present in specific firmware versions only; patched firmware completely removes the interface. Verify firmware versions before assuming exposure: WAP4410N ≤2.0.6.1, WRVS4400N 1.x ≤1.1.13 / 2.x ≤2.0.2.1, RVS4000 ≤2.0.3.2. ↗
- ·A secondary vulnerability was introduced in the patch itself; Cisco later confirmed the interface was completely removed in subsequent firmware. Devices running the initial 'fix' firmware may still be vulnerable via a different attack path. ↗
- ·The backdoor is present in SerComm OEM firmware used across multiple vendors (NetGear, Linksys, Honeywell, Cisco); detection should not be limited to Cisco-branded devices alone. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Cisco
Undocumented Test Interface in Cisco Small Business Devices
vendor_cisco·2014-01-11·CVSS 10.0
CVE-2014-0659 [CRITICAL] Undocumented Test Interface in Cisco Small Business Devices
Undocumented Test Interface in Cisco Small Business Devices
A vulnerability in the Cisco WAP4410N Wireless-N Access Point, Cisco WRVS4400N Wireless-N Gigabit Security Router, and the Cisco RVS4000 4-port Gigabit Security Router could allow an unauthenticated, remote attacker to gain root-level access to an affected device.
Note: Additional research performed by Mr. Eloi Vanderbeken during April 2014 seems to indicate that some products may be affected by another vulnerability, introduced while fixing the original "TCP port 32764 Undocumented Test Interface" vulnerability. Cisco has confirmed the undocumented test interface has been completely removed by the firmware images listed in this advisory and cannot be re-enabled in the Cisco WAP4410N Wireless-N Access Point, Cisco WRVS4400N Wire
Cisco
Undocumented Test Interface in Cisco Small Business Devices
vendor_cisco
CVE-2014-0659 Undocumented Test Interface in Cisco Small Business Devices
CVE-2014-0659: Undocumented Test Interface in Cisco Small Business Devices
A vulnerability in the Cisco WAP4410N Wireless-N Access Point, Cisco WRVS4400N Wireless-N Gigabit Security Router, and the Cisco RVS4000 4-port Gigabit Security Router could allow an unauthenticated, remote attacker to gain root -level access to an affected device. Note: Additional research performed by Mr. Eloi Vanderbeken during April 2014 seems to indicate that some products may be affected by another vulnerability, introduced while fixing the original "TCP port 32764 Undocumented Test Interface" vulnerability. Cisco has confirmed the undocumented test interface has been completely removed by the firmware images listed in this advisory and cannot be re-enabled in the Cisco WAP4410N Wireless-N Access Point, Cisco
GHSA
GHSA-vx5m-4g29-886g: The Cisco WAP4410N access point with firmware through 2
ghsa_unreviewed·2022-05-17
CVE-2014-0659 [HIGH] CWE-78 GHSA-vx5m-4g29-886g: The Cisco WAP4410N access point with firmware through 2
The Cisco WAP4410N access point with firmware through 2.0.6.1, WRVS4400N router with firmware 1.x through 1.1.13 and 2.x through 2.0.2.1, and RVS4000 router with firmware through 2.0.3.2 allow remote attackers to read credential and configuration data, and execute arbitrary commands, via requests to the test interface on TCP port 32764, aka Bug IDs CSCum37566, CSCum43693, CSCum43700, and CSCum43685.
No detection rules found.
Exploit-DB
SerComm Device - Remote Code Execution (Metasploit)
exploitdb·2014-01-14
CVE-2014-0659 SerComm Device - Remote Code Execution (Metasploit)
SerComm Device - Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "SerComm Device Remote Code Execution",
'Description' => %q{
This module will cause remote code execution on several SerComm devices.
These devices typically include routers from NetGear and Linksys.
Tested against NetGear DG834.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Eloi Vanderbeken ', # Initial discovery, poc
'Matt "hostess" Andreko ' # Msf module
],
'Payload' =>
{
'Space' => 10000, # Could be more, but this should be good enough
'DisableNops' => true
},
'Platform' => 'linux',
'Privileged' => false,
'Targets' =>
[
['Linux MIPS Big Endian',
{
'Arch' => A
Metasploit
SerComm Device Remote Code Execution
metasploit
SerComm Device Remote Code Execution
SerComm Device Remote Code Execution
This module will cause remote code execution on several SerComm devices. These devices typically include routers from NetGear and Linksys. This module was tested successfully against several NetGear, Honeywell and Cisco devices.
Metasploit
SerComm Network Device Backdoor Detection
metasploit
SerComm Network Device Backdoor Detection
SerComm Network Device Backdoor Detection
This module can identify SerComm manufactured network devices which contain a backdoor, allowing command injection or account disclosure.
No writeups or analysis indexed.
http://secunia.com/advisories/56292http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140110-sbdhttp://tools.cisco.com/security/center/viewAlert.x?alertId=32381http://www.securityfocus.com/bid/64776http://www.securitytracker.com/id/1029579http://www.securitytracker.com/id/1029580https://exchange.xforce.ibmcloud.com/vulnerabilities/90233https://github.com/elvanderb/TCP-32764http://secunia.com/advisories/56292http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140110-sbdhttp://tools.cisco.com/security/center/viewAlert.x?alertId=32381http://www.securityfocus.com/bid/64776http://www.securitytracker.com/id/1029579http://www.securitytracker.com/id/1029580https://exchange.xforce.ibmcloud.com/vulnerabilities/90233https://github.com/elvanderb/TCP-32764
2014-01-12
Published