Cyber-criminals scan for vulnerable Cisco routers to take full control

News by Rene Millman

Organisations in rush to patch Cisco RV320/RV325 routers before hackers can start exploiting remote access vulnerabilities.

Hackers are scanning for vulnerable Cisco routers after it was discovered that two of the firm’s devices have vulnerabilities that could enable attackers to take full control of them.

The flaws affect Cisco Small Business RV320 and RV325 dual gigabit WAN VPN routers. The flaws are in the routers’ web-based management interface. The first is CVE-2019-1652, a command injection vulnerability that exists in firmware versions 1.4.2.15 through 1.4.2.19. The second is CVE-2019-1653, an information disclosure vulnerability that exists in firmware versions 1.4.2.15 and 1.4.2.17.

The flaws were discovered by German security firm RedTeam Pentesting which found the bugs in the Cisco RV320. Researchers disclosed these flaws to Cisco last year, which gave Cisco enough time to push out patches to fix the bugs. CVE-2019-1652 is addressed in Cisco RV320 and RV325 firmware versions 1.4.2.20 and later while CVE-2019-1653 is addressed in RV320 and RV325 firmware versions 1.4.2.19 and later.

In a blog post by researchers at Tenable, in order to exploit CVE-2019-1652, a remote attacker would need to be authenticated and have administrative privileges. "However, CVE-2019-1653 requires no authentication, so a remote attacker can easily retrieve sensitive information including the router’s configuration file, which includes MD5 hashed credentials as well as diagnostic information," said Satnam Narang, senior research engineer at Tenable.

A repository of exploit scripts has been published on Github to target these vulnerabilities. According to Narang, one of the scripts can be used to exploit CVE-2019-1653 to retrieve the configuration file from the router as well as the diagnostic information.

"This information includes hashed credentials for the router, which are trivially hashed using MD5. The md5 hash is md5($password.$auth_key), with the auth_key being a static value that can be readily found by running ‘GET /’ and parsing the output. The other script is designed to exploit CVE-2019-1652 by using default credentials or cracked credentials," he said.

Narang said that Troy Mursch, a security researcher at Bad Packets, had observed incoming scans probing for vulnerable versions of the Cisco RV320/RV325 routers "which indicates that attacks are beginning to ramp up".

"These are embarrassing bugs, and they’ve been publicly disclosed," said Paul Ducklin, senior technologist at Sophos. "However, that probably means they’ll get fixed quickly. So, [a] keep a lookout for the update and apply it as soon as it’s out and [b] don’t make your router’s web administration interface visible to outsiders."

As Ducklin pointed out, many routers – like printers, NAS (storage) devices and webcams – have their admin interfaces exposed to the internet unnecessarily, entirely by mistake.

Those "mistakes" can easily and automatically be sniffed out by internet search engines like Shodan and Censys.

"Even if you have the most super-secure device in the world," said Ducklin, "there’s no point in exposing it to the internet unless you genuinely need and intend to. Check your router’s admin interface settings today – make sure that you haven’t got ‘remote access’ or ‘listen on WAN’, or whatever your device calls it, turned on unexpectedly."

Eoin Keary, CEO of Edgescan, told SC that it is important to have all default credentials on the devices – and all other systems – removed.

"Default credentials are an easy way for an attacker to log into a target system. Attack detection is also important which there are free and open source solutions available. But nothing replaces patching a known vulnerability or CVE," he said.

"Web interfaces for any local device should only be available on loopback (127.0.0.1) so no remote access can be used. This can be configured generally on the device itself or on a firewall to block all access to admin interfaces apart from local access. Exposed administration interfaces are a very common way to gain unauthorised attacks. Having default credentials coupled with an administrator interface exposed to the public Internet makes it very easy to access a target. In our experience at Edgescan, it is unfortunately not uncommon."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event