Cisco Finally Patches Router Bugs As New Unpatched Flaws Surface

cisco critical patch

Cisco repatched its RV320 and RV325 routers against two high-severity vulnerabilities, but at the same time reported two new medium-severity bugs with no fixes.

After a botched first attempt at patching two high-severity bugs affecting its RV320 and RV325 routers, Cisco Systems is out with fresh new fixes for both devices. However, Cisco isn’t out of the woods yet. On Thursday, it also reported two new medium-severity router bugs impacting the same router models – and with no reported fixes or workarounds.

The good news for Cisco was it said it finally successfully patched its RV320 and RV325 WAN VPN routers after first bungling the fix. Last week, Cisco notified customers that it had mismanaged a patch originally issued in September 2018 when it attempted to fix two router vulnerabilities (CVE-2019-1652 and CVE-2019-1653) – both rated as being of high importance.

“The initial fix for this vulnerability was found to be incomplete. The complete fix is now available in Firmware Release 1.4.2.22,” wrote Cisco on Thursday, referring to (CVE-2019-1652) a command injection vulnerability. According to the bulletin, the flaw allowed an authenticated, remote attacker with administrative privileges to execute arbitrary commands on either the RV320 and RV325 routers.

For CVE-2019-1653, Cisco posted the exact same status update, notifying customers of the same firmware fix. The bug in this case is an information disclosure vulnerability “[that] could allow an unauthenticated, remote attacker to retrieve sensitive information,” Cisco wrote.

Righting the Routers’ Wrongs  

Initially, the bugs were identified last September by RedTeam Pentesting and patched by Cisco on January 23. Making matters worse, on January 25, security researcher David Davidson published proof-of-concept hacks for two routers. As customers rushed to apply the patches, hackers reportedly began attacking both routers.

Part of Cisco’s January fix included blacklisting the so-called client for URLs (or cURL) on the modems. CURL is a command line tool for transferring data using various protocols. Presumably, blacklisting the user agent for cURL would keep attackers out. That wasn’t the case, and Cisco critics chimed in, stating that the blacklisting could easily be bypassed.

https://twitter.com/hrbrmstr/status/1110995488235503616

Last Wednesday, Cisco admitted as much, relaying a message to customers that both router patches were “incomplete” and that both were still vulnerable to attack. It added that in both cases, “firmware updates that address [these vulnerabilities] are not currently available.” It added there are no workarounds that address either vulnerability.

New Medium-Severity Headaches for Cisco

Also Thursday, Cisco reported two new medium-severity bug also affecting its RV320 and RV325 routers, both with no patches available. One bug (CVE-2019-1828) is tied to weak credential encryption use by both routers. The other is insufficient validation of a user-supplied input bug (CVE-2019-1827), also affecting both routers.

Both reports warn, “There are no workarounds that address this vulnerability.” Cisco does not mention anything about a patch in either advisory.

As for the weak credential vulnerability, it “exists because affected devices use weak encryption algorithms for user credentials. An attacker could exploit this vulnerability by conducting a man-in-the-middle attack and decrypting intercepted credentials. A successful exploit could allow the attacker to gain access to an affected device with administrator privileges,” according to Cisco.

As for the input bug, Cisco warns, “A vulnerability in the Online Help web service of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the service.”

As for exploitation of the bugs, Cisco said of the weak credential bug (CVE-2019-1828): “The Cisco Product Security Incident Response Team (PSIRT) is aware of the public announcement or malicious use of the vulnerability that is described in this advisory.” It thanked GitHub user 0x27 for reporting the vulnerability.

Cisco said it was not aware of any public exploits tied to the input validation bug.

Cisco did not return a request to comment for this article.

Suggested articles

Discussion

  • GlowingMoose on

    I already replaced mine... I can't wait for Cisco who clearly does not take security seriously for its SMB customers. There are still several features that after owning my RV325 for years that do not work. There are also no real helpful analytics available from it. Very expensive hardware that isn't supported by either security or software to match its cost.
  • Whups! I mean I did that on purpose. on

    Isn't it clear what happened here? Some outsourced firmware vendor put one over on Cisco by "fixing" the vulns just enough to pass Cisco's own test cases. And nobody at Cisco actually reviewed the source code for the purported "fixes" . Wouldn't it be nice if Cisco would identify who did this and publically commit to not do business with them any more?

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.