Cisco Router Still Vulnerable to Remote Attack After Attempted Fix

The vendor finally admitted that the security patches it had released in January for the Small Business RV320 and RV325 routers don't work.

Larry Loeb, Blogger, Informationweek

April 2, 2019

2 Min Read

Cisco finally admitted that the patches it had released in Januaryfor the Small Business RV320 and RV325 routers don't work.

In an advisory, the company said that, "A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands."

Cisco went on to note the cause. "The vulnerability is due to improper validation of user-supplied input," it said. "An attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root."

Moreover, "The initial fix for this vulnerability was found to be incomplete. Cisco is currently working on a complete fix. This document will be updated once fixed code becomes available. Firmware updates that address this vulnerability are not currently available. There are no workarounds that address this vulnerability."

A second vulnerability in the same devices allowed the exfiltration of sensitive information. It too was not patched correctly.

One could almost hear Cisco grit its corporate teeth in the advisory.

In its first attempt, Cisco made the router's firmware not execute the user agent name for the 'curl' command-line tool used for transferring data online. The idea was that this would block exfiltration. Unfortunately, changing the name of the user agent to a different name bypasses this effort, and exfiltration can occur.

Bad Packets Report tweeted in late March that, "Using the latest data from @binaryedgeio, we've scanned 14,045 Cisco RV320/RV325 routers and found 8,827 are leaking their configuration file, including admin credentials, to the public internet."

They found that about 4,000 of them were located in the US. Until a fix is released, the routers should not be directly exposed to the web. Other methods, such as a VPN connection, may also work.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Read more about:

Security Now

About the Author

Larry Loeb

Blogger, Informationweek

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. His first Mac had 128 KB of memory, which was a big step up from his first 1130, which had 4 KB, as did his first 1401. You can e-mail him at [email protected].

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights