Cisco fixes broken RV320/RV325 router patches as more exploits emerge
- 05 April, 2019 07:25
Cisco on Thursday posted four advisories concerning its RV320 and RV325 small business routers, flagging a fix for a botched patch that filed to plug a high severity flaw, and a separate flaw affecting the same routers that is under attack.
Lsat week Cisco warned that a January-issued patch for the RV320 and RV325 Dual Gigabit WAN VPN Routers didn’t actually fix two vulnerabilities — CVE-2019-1652 and CVE-2019-1653 — for which public exploit code was available and attackers were known to be scanning for vulnerable devices.
Admins can now grab firmware release 126.96.36.199 for the two routers that are “complete”, according to Cisco.
The flaw affects RV320 and RV325 routers running firmware Releases 188.8.131.52 through to 184.108.40.206, which was the firmware Cisco originally released to address the flaws.
“Firmware updates that address this vulnerability are currently available. There are no workarounds that address this vulnerability,” Cisco notes.
The company has also warned customers using RV320 and RV325 routers of a newly disclosed weakness in the web management interface of the routers, which could allow remote attackers without correct login details to access admin credentials.
The affected devices with the vulnerability CVE-2019-1828 use weak encryption algorithms for user credentials, allowing a man-in-the-middle attacker to capture and decrypt them.
“A successful exploit could allow the attacker to gain access to an affected device with administrator privileges,” Cisco warns.
“The Cisco Product Security Incident Response Team (PSIRT) is aware of the public announcement or malicious use of the vulnerability that is described in this advisory,” it added.
Cisco credited a security researcher who uses the name 0x27 on GitHub for reporting the bug.
The same researcher in January, following Cisco's release of the failed patches, published exploit code for one of the two flaws. 0x27's two exploits dump configuration files and debug data data from the device, which can be used to exploit the bug and execute commands remotely on the vulnerable device.
Cisco also patched a flaw that in the Online Help web service of the two routers that could allow a remote attacker to launch a reflected cross-site scripting (XSS) attack on a user of Online Help. The web service doesn’t properly validate user input and can be exposed by convincing a user to click a malicious link.
“A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected service or access sensitive browser-based information, Cisco notes.
The bug, CVE-2019-1827, was found by Cisco internally and the company is not aware fo any malicious use of it.
The company has also released released updates for two high severity flaws affecting its HyperFlex Software for managing clusters.
The two flaws are due to failures in authentication control and input validation. One flaw allows an unauthenticated attacker from an adjacent node in a cluster to execute commands as the root user, while the other allows a local attacker to gain root access to all nodes in the cluster.