Attackers scanning unpatched Cisco small business routers after exploit code published

News by Bradley Barth

Cisco Systems last week issued security advisories for two dozen vulnerabilities, including two high-severity flaws in its Small Business RV320 and RV325 dual gigabit WAN VPN routers, which attackers are reportedly already trying to exploit.

Cisco Systems last week issued security advisories for two dozen vulnerabilities, including two high-severity flaws in its Small Business RV320 and RV325 dual gigabit WAN VPN routers, which attackers are reportedly already trying to exploit with published proof-of-concept code.

Device owners are advised to immediately download Cisco’s patches for the two exploited flaws, both of which reside within the routers’ web-based management interface.

The first, CVE-2019-1652, is a command injection bug caused by improper validation of user-supplied input. The vulnerability, which affects routers running firmware releases 1.4.2.15 through 1.4.2.19, can can allow authenticated, remote attackers with admin privileges to execute arbitrary commands on the underlying Linux shell as root.

The second flaw, CVE-2019-1653, affects routers running firmware releases 1.4.2.15 and 1.4.2.17. The vulnerability allows unauthenticated remote attackers to retrieve sensitive information – including router configuration and diagnostic information – from the web-based interface, due to improper access controls for URLs.

The vulnerabilities were discovered by researchers at Germany’s RedTeam Pentesting GmbH, who published exploits for the vulnerabilities on GitHub after Cisco distributed its advisory. These exploits can be used in tandem with each other to gain remote code execution on affected routers after initially retrieving and dumping their configurations.

And now attacks may be taking advantage. In a series of tweets and a blog post, Troy Mursch, chief research officer at Bad Packets Report, warned that "On Friday, January 25, 2019, our honeypots detected opportunistic scanning activity from multiple hosts targeting Cisco Small Business RV320 and RV325 routers."

"These scans consisted of a GET request for /cgi-in/config.exp which is the path that allows unauthenticated remote users to obtain an entire dump of the device’s configuration settings," Mursch continued in his blog post. "This includes the administrator credentials, however the password is hashed."

After scanning 15,309 unique IPv4 hosts, Bad Packets report found that 9,657 were susceptible to CVE-2019-1653. Most were located in the US, but altogether they were found in 122 different countries.

Also among the 24 vulnerabilities Cisco announced last week was CVE-2019-1651, a critical buffer overflow condition in its SD-WAN Solution. The issue, which was patched in release version 18.4.0, could allow an authenticated, remote attacker to cause a denial of service condition and execute arbitrary code as a root user, due to improper bounds checking by the vContainer.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events