Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Public Exploit Scripts for Vulnerable Cisco Small Business RV320 and RV325 Devices Now Available

Availability of public exploit scripts for two vulnerabilities in Cisco Small Business WAN VPN routers coupled with incoming scans for vulnerable devices indicate that attackers are preparing to launch attacks.

Background

On January 23, Cisco published a list of security advisories including advisories for two vulnerabilities in Cisco Small Business RV320 and RV325 dual gigabit WAN VPN routers. Both vulnerabilities exist within the routers’ web-based management interface. The first is CVE-2019-1652, a command injection vulnerability that exists in firmware versions 1.4.2.15 through 1.4.2.19. The second is CVE-2019-1653, an information disclosure vulnerability that exists in firmware versions 1.4.2.15 and 1.4.2.17.

Analysis

In order to exploit CVE-2019-1652, a remote attacker would need to be authenticated and have administrative privileges. However, CVE-2019-1653 requires no authentication, so a remote attacker can easily retrieve sensitive information including the router’s configuration file, which includes MD5 hashed credentials as well as diagnostic information.

Proof of concept

On January 24, a security researcher published a repository of exploit scripts on Github to target these vulnerabilities. One of the scripts can be used to exploit CVE-2019-1653 to  retrieve the configuration file from the router as well as the diagnostic information. This information includes hashed credentials for the router, which are trivially hashed using MD5. The md5 hash is md5($password.$auth_key), with the auth_key being a static value that can be readily found by running ‘GET /’ and parsing the output. The other script is designed to exploit CVE-2019-1652 by using default credentials or cracked credentials. Update March 27: RedTeam Pentesting GmbH have shared additional proof-of-concept code as part of their additional disclosure to Cisco about the previous patch being incomplete.

Troy Mursch, who operates the Twitter handle @bad_packets, has observed incoming scans probing for vulnerable versions of the Cisco RV320/RV325 routers, which indicates that attacks are beginning to ramp up. Cursory SHODAN searches indicate that over 20,000 devices matching the affected router models may be publicly exposed. Update January 28: Over 9,000 devices are reportedly vulnerable.

Solution

Cisco has released software updates to address both of these vulnerabilities. CVE-2019-1652 is addressed in Cisco RV320 and RV325 firmware versions 1.4.2.20 and later while CVE-2019-1653 is addressed in RV320 and RV325 firmware versions 1.4.2.19 and later. These software updates can be retrieved from the Cisco Software Center. Update March 27: Cisco updated their RV320 and RV325 advisories today after they received reports that their previous patches for these vulnerabilities were determined to be incomplete. Cisco says they are currently working on a complete fix. We will update this blog once a complete fix has been released.

Identifying affected systems

A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.