After a botched first attempt at patching two high-severity bugs affecting its RV320 and RV325 routers, Cisco Systems is out with fresh new fixes for both devices. However, Cisco isn’t out of the woods yet. On Thursday, it also reported two new medium-severity router bugs impacting the same router models – and with no reported fixes or workarounds.
The good news for Cisco was it said it finally successfully patched its RV320 and RV325 WAN VPN routers after first bungling the fix. Last week, Cisco notified customers that it had mismanaged a patch originally issued in September 2018 when it attempted to fix two router vulnerabilities (CVE-2019-1652 and CVE-2019-1653) – both rated as being of high importance.
“The initial fix for this vulnerability was found to be incomplete. The complete fix is now available in Firmware Release 220.127.116.11,” wrote Cisco on Thursday, referring to (CVE-2019-1652) a command injection vulnerability. According to the bulletin, the flaw allowed an authenticated, remote attacker with administrative privileges to execute arbitrary commands on either the RV320 and RV325 routers.
For CVE-2019-1653, Cisco posted the exact same status update, notifying customers of the same firmware fix. The bug in this case is an information disclosure vulnerability “[that] could allow an unauthenticated, remote attacker to retrieve sensitive information,” Cisco wrote.
Righting the Routers’ Wrongs
Initially, the bugs were identified last September by RedTeam Pentesting and patched by Cisco on January 23. Making matters worse, on January 25, security researcher David Davidson published proof-of-concept hacks for two routers. As customers rushed to apply the patches, hackers reportedly began attacking both routers.
Part of Cisco’s January fix included blacklisting the so-called client for URLs (or cURL) on the modems. CURL is a command line tool for transferring data using various protocols. Presumably, blacklisting the user agent for cURL would keep attackers out. That wasn’t the case, and Cisco critics chimed in, stating that the blacklisting could easily be bypassed.
— boB 🇷udis (@hrbrmstr) March 27, 2019
Last Wednesday, Cisco admitted as much, relaying a message to customers that both router patches were “incomplete” and that both were still vulnerable to attack. It added that in both cases, “firmware updates that address [these vulnerabilities] are not currently available.” It added there are no workarounds that address either vulnerability.
New Medium-Severity Headaches for Cisco
Also Thursday, Cisco reported two new medium-severity bug also affecting its RV320 and RV325 routers, both with no patches available. One bug (CVE-2019-1828) is tied to weak credential encryption use by both routers. The other is insufficient validation of a user-supplied input bug (CVE-2019-1827), also affecting both routers.
Both reports warn, “There are no workarounds that address this vulnerability.” Cisco does not mention anything about a patch in either advisory.
As for the weak credential vulnerability, it “exists because affected devices use weak encryption algorithms for user credentials. An attacker could exploit this vulnerability by conducting a man-in-the-middle attack and decrypting intercepted credentials. A successful exploit could allow the attacker to gain access to an affected device with administrator privileges,” according to Cisco.
As for the input bug, Cisco warns, “A vulnerability in the Online Help web service of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the service.”
As for exploitation of the bugs, Cisco said of the weak credential bug (CVE-2019-1828): “The Cisco Product Security Incident Response Team (PSIRT) is aware of the public announcement or malicious use of the vulnerability that is described in this advisory.” It thanked GitHub user 0x27 for reporting the vulnerability.
Cisco said it was not aware of any public exploits tied to the input validation bug.
Cisco did not return a request to comment for this article.