RV320 與 RV325 路由器的修補程式不完整，Cisco 予以修復，另外還修復兩個新錯誤 (CVE-2019-1827、CVE-2019-1828)

Cisco finalizes patch for RV320 and RV325 after researchers determined a previous patch was incomplete.

背景說明

On April 4, Cisco published updated advisories to address two vulnerabilities in its RV320 and RV325 routers that were originally reported in January 2019. Additionally, Cisco published advisories for two newly discovered, medium severity bugs in the same routers.

分析

Tenable blogged about these vulnerabilities -- CVE-2019-1652 and CVE-2019-1653 -- in late January when public exploit scripts were published. Shortly after publication, reports about exploit attempts against these devices surfaced. Additionally, Troy Mursch, (@bad_packets), reported over 9,000 devices were reportedly vulnerable to exploitation.

Initially, Cisco said it had patched these vulnerabilities in firmware versions 1.4.2.20 and later (CVE-2019-1652) and firmware versions 1.4.2.19 and later (CVE-2019-1653). However, three recent advisories from RedTeam Pentesting GmbH including new proof of concept (PoC) code were published on March 27, indicating that the previous patches were incomplete. Cisco confirmed the findings from RedTeam Pentesting and indicated that a complete patch was imminent. Troy Mursch updated his previous blog post, highlighting that over 8,000 devices were still vulnerable to CVE-2019-1653.

Using the latest data from @binaryedgeio, we've scanned 14,045 Cisco RV320/RV325 routers and found 8,827 are leaking their configuration file, including admin credentials, to the public internet.

Map of total vulnerable hosts found per country: https://t.co/8TDKyIGUTe pic.twitter.com/7ffywLebEt

— Bad Packets Report (@bad_packets) March 28, 2019

 In addition to these updated advisories, Cisco published two new advisories for medium severity bugs in the same routers. CVE-2019-1827 is a reflected cross-site scripting (XSS) vulnerability in the Online Help web service on the routers, while CVE-2019-1828 is a weak credential encryption vulnerability. Both vulnerabilities could be exploited by an unauthenticated, remote attacker. The latter could reveal encrypted administrative credentials, but requires the attacker to be operating as a man-in-the-middle. Because the device uses a weak encryption algorithm, a man-in-the-middle would likely be able to decrypt these credentials and gain administrative access to the vulnerable device.

解決方法

Cisco says firmware version 1.4.2.22 for RV320 and RV325 addresses the incomplete fixes for CVE-2019-1652 and CVE-2019-1653. The release notes for 1.4.2.22 show that CVE-2019-1827 and CVE-2019-1828 are also addressed based on the associated Cisco Bug IDs.

找出受影響的系統

A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.

取得更多資訊

• Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability
• Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability
• Cisco Small Business RV320 and RV325 Routers Online Help Reflected Cross-Site Scripting Vulnerability
• Cisco Small Business RV320 and RV325 Routers Weak Credential Encryption Vulnerability
• Tenable Blog: Public Exploit Scripts for Vulnerable Cisco Small Business RV320 and RV325 Devices Now Available

加入 Tenable Community 的 Tenable 安全回應團隊。

深入瞭解 Tenable，這是用於全面管理新型攻擊破綻的首創 Cyber Exposure 平台。

Get a free 60-day trial of Tenable.io Vulnerability Management.