Availability of public exploit scripts for two vulnerabilities in Cisco Small Business WAN VPN routers coupled with incoming scans for vulnerable devices indicate that attackers are preparing to launch attacks.
On January 23, Cisco published a list of security advisories including advisories for two vulnerabilities in Cisco Small Business RV320 and RV325 dual gigabit WAN VPN routers. Both vulnerabilities exist within the routers’ web-based management interface. The first is CVE-2019-1652, a command injection vulnerability that exists in firmware versions 22.214.171.124 through 126.96.36.199. The second is CVE-2019-1653, an information disclosure vulnerability that exists in firmware versions 188.8.131.52 and 184.108.40.206.
In order to exploit CVE-2019-1652, a remote attacker would need to be authenticated and have administrative privileges. However, CVE-2019-1653 requires no authentication, so a remote attacker can easily retrieve sensitive information including the router’s configuration file, which includes MD5 hashed credentials as well as diagnostic information.
Proof of concept
On January 24, a security researcher published a repository of exploit scripts on Github to target these vulnerabilities. One of the scripts can be used to exploit CVE-2019-1653 to retrieve the configuration file from the router as well as the diagnostic information. This information includes hashed credentials for the router, which are trivially hashed using MD5. The md5 hash is md5($password.$auth_key), with the auth_key being a static value that can be readily found by running ‘GET /’ and parsing the output. The other script is designed to exploit CVE-2019-1652 by using default credentials or cracked credentials. Update March 27: RedTeam Pentesting GmbH have shared additional proof-of-concept code as part of their additional disclosure to Cisco about the previous patch being incomplete.
Troy Mursch, who operates the Twitter handle @bad_packets, has observed incoming scans probing for vulnerable versions of the Cisco RV320/RV325 routers, which indicates that attacks are beginning to ramp up. Cursory SHODAN searches indicate that over 20,000 devices matching the affected router models may be publicly exposed. Update January 28: Over 9,000 devices are reportedly vulnerable.
⚠️ WARNING ⚠️— Bad Packets Report (@bad_packets) January 25, 2019
Incoming scans detected from multiple hosts checking for vulnerable Cisco RV320/RV325 routers.
A vulnerability in the web-based management interface of these routers could allow an unauthenticated, remote attacker to retrieve sensitive configuration information. pic.twitter.com/OhQD55WNZD
Cisco has released software updates to address both of these vulnerabilities. CVE-2019-1652 is addressed in Cisco RV320 and RV325 firmware versions 220.127.116.11 and later while CVE-2019-1653 is addressed in RV320 and RV325 firmware versions 18.104.22.168 and later. These software updates can be retrieved from the Cisco Software Center. Update March 27: Cisco updated their RV320 and RV325 advisories today after they received reports that their previous patches for these vulnerabilities were determined to be incomplete. Cisco says they are currently working on a complete fix. We will update this blog once a complete fix has been released.
Identifying affected systems
A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.
Get more information
- Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability
- Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability
- Github Repository of Exploit Scripts for CVE-2019-1652 and CVE-2019-1653
- Cisco Software Center