Cisco 修复了 RV320 和 RV325 路由器的不完整补丁，以及两个新漏洞 (CVE-2019-1827, CVE-2019-1828)

Cisco finalizes patch for RV320 and RV325 after researchers determined a previous patch was incomplete.

背景

On April 4, Cisco published updated advisories to address two vulnerabilities in its RV320 and RV325 routers that were originally reported in January 2019. Additionally, Cisco published advisories for two newly discovered, medium severity bugs in the same routers.

分析

Tenable blogged about these vulnerabilities -- CVE-2019-1652 and CVE-2019-1653 -- in late January when public exploit scripts were published. Shortly after publication, reports about exploit attempts against these devices surfaced. Additionally, Troy Mursch, (@bad_packets), reported over 9,000 devices were reportedly vulnerable to exploitation.

Initially, Cisco said it had patched these vulnerabilities in firmware versions 1.4.2.20 and later (CVE-2019-1652) and firmware versions 1.4.2.19 and later (CVE-2019-1653). However, three recent advisories from RedTeam Pentesting GmbH including new proof of concept (PoC) code were published on March 27, indicating that the previous patches were incomplete. Cisco confirmed the findings from RedTeam Pentesting and indicated that a complete patch was imminent. Troy Mursch updated his previous blog post, highlighting that over 8,000 devices were still vulnerable to CVE-2019-1653.

Using the latest data from @binaryedgeio, we've scanned 14,045 Cisco RV320/RV325 routers and found 8,827 are leaking their configuration file, including admin credentials, to the public internet.

Map of total vulnerable hosts found per country: https://t.co/8TDKyIGUTe pic.twitter.com/7ffywLebEt

— Bad Packets Report (@bad_packets) March 28, 2019

 In addition to these updated advisories, Cisco published two new advisories for medium severity bugs in the same routers. CVE-2019-1827 is a reflected cross-site scripting (XSS) vulnerability in the Online Help web service on the routers, while CVE-2019-1828 is a weak credential encryption vulnerability. Both vulnerabilities could be exploited by an unauthenticated, remote attacker. The latter could reveal encrypted administrative credentials, but requires the attacker to be operating as a man-in-the-middle. Because the device uses a weak encryption algorithm, a man-in-the-middle would likely be able to decrypt these credentials and gain administrative access to the vulnerable device.

解决方案

Cisco says firmware version 1.4.2.22 for RV320 and RV325 addresses the incomplete fixes for CVE-2019-1652 and CVE-2019-1653. The release notes for 1.4.2.22 show that CVE-2019-1827 and CVE-2019-1828 are also addressed based on the associated Cisco Bug IDs.

识别受影响的系统

A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.

获取更多信息

• Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability
• Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability
• Cisco Small Business RV320 and RV325 Routers Online Help Reflected Cross-Site Scripting Vulnerability
• Cisco Small Business RV320 and RV325 Routers Weak Credential Encryption Vulnerability
• Tenable Blog: Public Exploit Scripts for Vulnerable Cisco Small Business RV320 and RV325 Devices Now Available

加入 Tenable Community 中的 Tenable 安全响应团队

了解有关 Tenable 这款首创 Cyber Exposure 平台的更多信息，全面管理现代攻击面。

Get a free 60-day trial of Tenable.io Vulnerability Management.