Cisco business routers targeted after patch, at least 9,000 vulnerable

  • Liam Tung (CSO Online)
  • 29 January, 2019 06:47

Security researchers have found over 9,000 Cisco routers that are vulnerable to two serious bugs that Cisco released patches for this month. 

Businesses are being urged to install Cisco’s updates detailed in its January 23 security advisories because of  publicly available exploit code that could give attackers an easy route to rummaging through an organization's network. 

The two flaws affect the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers. Admins use it to configure router settings. 

The information disclosure flaw, CVE-2019-1653, allows an unauthenticated remote attacker to obtain configuration files from the device, revealing sensitive configuration information as well as the administrator’s hashed password. 

The other flaw, a remote command execution bug tracked as CVE-2019-165, allows an attacker to remotely execute commands on the device if the attacker has gained valid credentials.       

The pair of bugs were reported by German pen-testing outfit RedTeam Pentesting GmbH, which described the risks to organisations. 

“By downloading the configuration, attackers can obtain internal network configuration, VPN or IPsec secrets, as well as password hashes for the router's user accounts, explained RedTeam Pentesting. 

“Knowledge of a user's password hash is sufficient to log into the router's web interface. Any information obtained through exploitation of this vulnerability can be used to facilitate further compromise of the device itself or attached networks.” 

Things became more dangerous for those using affected Cisco routers after Darren Martyn, a researcher at UK security firm Xiphos Research, who uses the handle 0x27, published exploit code for the bugs two days after Cisco's advisory. While the disclosure should give cause for users to patch affected devices, it could help attackers breach organizations that haven't installed the update. 

The exploits target both flaws: one dumps the configuration files, including hashed passwords; the other contains a method for remote command execution that works if the attacker has cracked the password hash. 

But admins who didn’t change the router’s default credentials could be in for trouble, which Martyn notes is "cisco" for the username  and "cisco" for the password.   

The bugs affect Cisco routers running firmware releases from through to

Potential attackers have already started scanning the internet for vulnerable Cisco routers, according to security expert Troy Mursch of Bad Packets.  

Mursch’s honeypots detected “opportunistic scanning activity” that targeted the Cisco router models on January 25. He scanned over 15,000 IPv4 hosts and turned up 9,657 Cisco routers that were vulnerable to the information disclosure flaw. He also confirmed that about a third of 9,852 Cisco RV320 routers are vulnerable. More than half of the 5,457 Cisco RV325 routers scanned are vulnerable. 

Most of the vulnerable devices are in the US, totaling nearly 4,400 routers. Of these 109 hosts were located in Australia, according to a map of vulnerable routers that Mursch published.