Information Disclosure Flaws Found in Cisco Small Business Routers
Cisco acknowledged vulnerabilities in two of its small business router products last week that could lead to information disclosures.
The vulnerabilities affect Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers, where an attacker could "download the router configuration or detailed diagnostic information," Cisco's Jan. 23 security advisory explained. These routers with firmware versions 220.127.116.11 and 18.104.22.168 installed have the vulnerabilities. Cisco has issued free firmware software updates for its affected customers.
The flaw goes by the common vulnerabilities and exposures number of CVE-2019-1653. Cisco ranked the vulnerabilities as potentially having a "High" impact on organizations, crediting RedTeam Pentesting GmbH for reporting the issue.
Vulnerabilities were detected in more than 9,000 of these routers, with most of the devices located in the United States, according to a blog post by Troy Mursch, a security researcher at the Web site "Bad Packets Report." Mursch recommended immediately applying Cisco's firmware updates, as well as "changing the device's admin and WiFi credentials."
The vulnerabilities can expose an administrator's credentials, but "the password is hashed," Mursch noted. However, the information exposed could be used in combination with a remote code execution attack (CVE-2019-1652) that was also discovered by RedTeam Pentesting.
"These routers can be exploited further using the leaked credentials (CVE-2019-1652) resulting in remote code execution detailed in the proof-of-concept published by David Davidson (0x27)," Mursch explained.
Attackers need valid credentials on the routers, though, to exploit CVE-2019-1652.
"The vulnerability [CVE-2019-1652] allows attackers with administrative access to the router's web interface to execute arbitrary operating system commands on the device," RedTeam Pentesting explained in a Seclists.org post. "Because attackers require valid credentials to the web interface, this vulnerability is only rated as a medium risk."
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.