Last week, RedTeam Pentesting had discovered a command injection vulnerability in the web-based certificate generator feature of the Cisco RV320 router. According to RedTeam Pentesting, the feature was inadequately patched by the vendor. On Saturday, Cisco acknowledged that it had mismanaged a patch which would give rise to a vulnerability in two router models, namely, Cisco RV320 and RV325 WAN VPN routers.
We were also quite surprised to find this /etc/nginx.conf in 1.4.2.20 pic.twitter.com/tvOj04Q7Ip
— RedTeam Pentesting (@RedTeamPT) March 27, 2019
The security flaws
These router vulnerabilities were discovered way back in September 2018. Post four months the discovery, a patch was issued for blacklisting the curl which is a command-line tool used for transferring data online and is also integrated into internet scanners. The idea behind introducing this curl was to prevent the devices from the attackers. Cisco patches were intended to protect these vulnerable devices. And initially, it was believed that Cisco’s patches were the ideal choice for businesses.
Cisco’s RV320 product page reads, “Keep your employees, your business, and yourself productive and effective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal
choice for any small office or small business looking for performance, security, and reliability in its network.” Around 10,000 of these devices are still accessible online and are vulnerable to attacks. Cisco’s patch could merely blacklist the curl which turned out be a major problem.
In January, this year, security researcher David Davidson published a proof-of-concept for two Cisco RV320 and RV325 vulnerabilities. The security flaws patched by Cisco were:
CVE-2019-1652
This flaw allows remote attackers to inject and run admin commands on the device without using a password.
CVE-2019-1653
This flaw allows remote attackers to get sensitive device configuration details without using a password.
But it seems instead of fixing the vulnerable code in the actual firmware, Cisco has instead blacklisted the user agent for curl.
Cisco firmware update for RV320/RV325 routers simply blacklisted the user agent for curl. 🤦♂️ https://t.co/iWrUn98vcr
— Bad Packets Report (@bad_packets) March 27, 2019
Most of the users are surprised by this news and they think that these patches can be easily bypassed by the attackers.
O
M
Gosh(#ty)
This is so silly! You'd think @CiscoSecurity could have told their product teams that tricks like this are just juvenile and so easy to bypass. pic.twitter.com/42lgoG9cfc
— boB 🇷udis (@hrbrmstr) March 27, 2019
Cisco as a hardware vendor shouldn’t get involved
— Tobiasz Cudnik (@tobiasz_cudnik) March 28, 2019
To know more about this news, check out RedTeam Pentesting’s post.
Read Next
Redis Labs raises $60 Million in Series E Funding led by Francisco partners
Cisco and Huawei Routers hacked via backdoor attacks and botnets