News

Cisco Identifies Security Flaws in Its Small Business Routers

• By Kurt Mackie
• 02/01/2019

A pair of Cisco small business router products are susceptible to information disclosure attacks, the networking giant acknowledged last week.

The affected devices are the Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers with firmware versions 1.4.2.15 and 1.4.2.17 installed.

Vulnerabilities in these routers could enable an attacker to "download the router configuration or detailed diagnostic information," Cisco's Jan. 23 security advisory explained. Cisco has issued free firmware software updates for its affected customers.

The flaw goes by the common vulnerabilities and exposures number of CVE-2019-1653. Cisco ranked the vulnerabilities as potentially having a "High" impact on organizations, crediting RedTeam Pentesting GmbH for reporting the issue.

Vulnerabilities were detected in more than 9,000 of these routers, with most of the devices located in the United States, according to a blog post by Troy Mursch, a security researcher at the Web site "Bad Packets Report." Mursch recommended immediately applying Cisco's firmware updates, as well as "changing the device's admin and WiFi credentials."

The vulnerabilities can expose an administrator's credentials, but "the password is hashed," Mursch noted. However, the information exposed could be used in combination with a remote code execution attack (CVE-2019-1652) that was also discovered by RedTeam Pentesting.

"These routers can be exploited further using the leaked credentials (CVE-2019-1652) resulting in remote code execution detailed in the proof-of-concept published by David Davidson (0x27)," Mursch explained.

Attackers need valid credentials on the routers, though, to exploit CVE-2019-1652.

"The vulnerability [CVE-2019-1652] allows attackers with administrative access to the router's web interface to execute arbitrary operating system commands on the device," RedTeam Pentesting explained in a Seclists.org post. "Because attackers require valid credentials to the web interface, this vulnerability is only rated as a medium risk."