Cisco Router Still Vulnerable to Remote Attack After Attempted Fix

The vendor finally admitted that the security patches it had released in January for the Small Business RV320 and RV325 routers don't work.

Cisco finally admitted that the patches it had released in Januaryfor the Small Business RV320 and RV325 routers don't work.

In an advisory, the company said that, "A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands."

Cisco went on to note the cause. "The vulnerability is due to improper validation of user-supplied input," it said. "An attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root."

Moreover, "The initial fix for this vulnerability was found to be incomplete. Cisco is currently working on a complete fix. This document will be updated once fixed code becomes available. Firmware updates that address this vulnerability are not currently available. There are no workarounds that address this vulnerability."

A second vulnerability in the same devices allowed the exfiltration of sensitive information. It too was not patched correctly.

One could almost hear Cisco grit its corporate teeth in the advisory.

In its first attempt, Cisco made the router's firmware not execute the user agent name for the 'curl' command-line tool used for transferring data online. The idea was that this would block exfiltration. Unfortunately, changing the name of the user agent to a different name bypasses this effort, and exfiltration can occur.

Bad Packets Report tweeted in late March that, "Using the latest data from @binaryedgeio, we've scanned 14,045 Cisco RV320/RV325 routers and found 8,827 are leaking their configuration file, including admin credentials, to the public internet."

They found that about 4,000 of them were located in the US. Until a fix is released, the routers should not be directly exposed to the web. Other methods, such as a VPN connection, may also work.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Editors' Choice
Jeffrey Schwartz, Contributing Writer, Dark Reading
Jai Vijayan, Contributing Writer, Dark Reading