Cisco released 24 patches, many dealing with the company’s IOS XE operating system and 19 of them addressing vulnerabilities rated high severity – although some researchers have reported that two of the high-severity fixes weren’t enough to stop exploitation.
Among the crucial patches are those for high-severity vulnerabilities affecting 10,000 of company’s popular Cisco RV320 and RV325 WAN VPN small business routers, according to a recent advisory.
CVE-2019-1652 and CVE-2019-1653 could have allowed a remote attacker to inject and run admin commands on a device without a password and to get sensitive device configuration details without a password, respectively.
Both already have been actively exploited in the wild after several security researchers released proof-of-concept code demonstrating how the bugs worked and how they could be used to take control of the routers.
In an email to SC Media UK, Eoin Keary, CEO and co-founder of edgescan, commented: "It would be prudent to ask why one would expose an administration web interface to any untrusted networks or the public Internet. A very common avenue of attack is to simply attack the administration console, be it default passwords or exploitation of a vulnerability in the web interface. Administration consoles should only be accessible from a trusted network or network range, this can be easily done via a firewall rule."
Bad Packets co-founder and researcher Troy Mursch, who initially spotted RV320/RV325 scans in January, told ZDNet the update simply blacklisted the user agent for curl and that hackers never stopped searching for vulnerable devices.
In addition, many router owners reportedly didn’t bother applying the faulty Cisco patches, leaving them vulnerable to the initial attacks.
"We are working on a complete fix with the highest priority and thank our customers and our partners for their patience during the resolution of this issue. Please refer to the security advisories for the latest information," a Cisco spokesperson told SC Media.
Lane Thames, senior security researcher at Tripwire, told SC Media there are a few interesting failures in this botched fix.
" First, this shows that even the largest of software and hardware vendors don’t have basic secure development practices in place," Thames said. "The engineering behind this fix was quite immature with respect to security and indicates that even the engineers involved with fixing security bugs sometimes don’t understand how to fix vulnerabilities."
Thames added the command injection vulnerability, in this case, was very basic, trivial to prevent, and is due to improper input sanitisation. In addition, Thames contended Cisco should have worked closer with the researchers who discovered the vulnerabilities.
"These testers could have analysed the patched firmware for Cisco to confirm a good fix before releasing the patch to the public," he said. "The RedTeam Pentesting GmbH group who found these vulnerabilities posted the following disclosure here.
An earlier version of this article was originally published on SC Media US.