Cisco acknowledged yesterday that it bungled a crucial patch for a vulnerability in two router models. The company's shoddy initial patches allowed hackers to continue attacks throughout the past two months.
The security flaws impact Cisco RV320 and RV325 WAN VPN routers, two models popular with internet service providers and large enterprises.
Security
Cisco patched two security flaws impacting RV320 and RV325 routers at the end of January. The two were:
- CVE-2019-1652 - allows a remote attacker to inject and run admin commands on the device without a password.
- CVE-2019-1653 - allows a remote attacker to get sensitive device configuration details without a password.
The two vulnerabilities came under active attacks after multiple security researchers released proof-of-concept code demonstrating how the bugs worked and how they could be abused to take over routers.
Around 10,000 of these high-powered devices were --and still are-- accessible online and vulnerable to attacks.
Initially, it was believed that the Cisco patches would be enough to protect these vulnerable devices. However, yesterday, the security firm that initially discovered these bugs revealed that Cisco's patches had been woefully incomplete [1, 2, 3].
To note, the Cisco RV320/RV325 router vulnerabilities were discovered back in September 2018. Four months later a patch was issued that simply blacklisted curl. Cisco then has the gall to request postponement of @RedTeamPT's latest disclosure nearly two months after that. pic.twitter.com/o2FqTsTebO
— Bad Packets Report (@bad_packets) March 27, 2019
The problem was that Cisco's patch merely blacklisted curl, a popular command-line tool for transferring data online, which is also integrated into many internet scanners.
Cisco's catastrophic thinking was that by blacklisting curl, they'd prevent attackers from discovering vulnerable routers and using the public exploits to take over devices.
The company's engineers made this decision, as opposed to fixing the vulnerable code in the actual firmware, which would have been the proper way to handle this issue.
Cisco firmware update for RV320/RV325 routers simply blacklisted the user agent for curl. 🤦♂️ https://t.co/iWrUn98vcr
— Bad Packets Report (@bad_packets) March 27, 2019
Troy Mursch, the co-founder of Bad Packets LLC, and the one who spotted the initial RV320/RV325 scans in January, told ZDNet that hackers never stopped searching for vulnerable devices.
Furthermore, many Cisco RV320/RV325 owners also didn't bother applying the (faulty) Cisco patches, in the first place, meaning that most devices are still vulnerable to the original exploit code that was posted online in January.
But even if device owners applied the January patch, all an attacker has to do now is to switch to a non-curl scanner/exploit tool.
Cisco has not released new patches, at the time of this article's writing, but merely acknowledged its snafu. The company didn't provide a timeline for a proper patch's arrival either.
The company also released 23 other security patches, most being fixes for the company's IOS XE operating system. None was classified under a "critical" severity rating, and none was exploited in the wild.
When IoT/home automation devices explode
More vulnerability reports:
- Severe security bug found in popular PHP library for creating PDF files
- Researchers find 36 new security flaws in LTE protocol
- Google Photos vulnerability could have let hackers retrieve image metadata
- Microsoft to fix 'novel bug class' discovered by Google engineer
- Zero-day in WordPress SMTP plugin abused by two hacker groups
- Google fixes Chrome 'evil cursor' bug abused by tech support scam sites
- DJI fixes vulnerability that let potential hackers spy on drones CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic