Cisco botched patches for its RV320/RV325 routers
Cisco RV320 and RV325 WAN VPN routers are still vulnerable to attack through two flaws that Cisco had supposedly patched.
#Cisco Small Business Routers still vulnerable to remote code execution & configuration export due to incomplete patch 🚨 #RCE #RV320 #RV325 New advisories: https://t.co/fPzrrkb3Hk https://t.co/xZex3wdfpb https://t.co/iZUuCCEnGx
— RedTeam Pentesting (@RedTeamPT) March 27, 2019
There are still many vulnerable devices
CVE-2019-1652 and CVE-2019-1653 were discovered in September 2018 by security experts from RedTeam Pentesting and disclosed to Cisco, which delivered patches in January 2019.
Unfortunately, the patches did not fix the vulnerabilities, but merely blacklisted the user agent for curl, a command-line tool for transferring data that is used by many popular Internet scanning tools.
That discovery was again made by RedTeam Pentesting, and the vulnerabilities continue to allow attackers with administrative access to the router’s web interface to:
- Execute arbitrary operating system commands on the device (CVE-2019-1652), and/or
- Gather configuration and diagnostic information that can be used to compromise the device or attached networks (CVE-2019-1653). “By downloading the configuration/diagnostic information, attackers can obtain internal network configuration, VPN or IPsec secrets, as well as password hashes for the router’s user accounts,” they pointed out.
Complete fixes are on the way
Troy Mursch of Bad Packets Report says attackers have been trying to exploit the flaws (especially CVE-2019-1653) since January, and there are currently over 8,000 vulnerable routers Cisco RV320/RV325 routers out there that attackers can extract configuration settings from.
Cisco says there are no workarounds that address these vulnerabilities, but RedTeam Pentesting experts note that the threat of attack can be mitigated by preventing untrusted users from using the vulnerable routers’ web interface and by preventing untrusted clients from connecting to the devices’ web server.