Security researchers have observed ongoing internet scans and exploitation attempts against Cisco RV320 and RV325 WAN VPN routers, two models very popular among internet service providers and large enterprises.
The vulnerabilities are:
- CVE-2019-1653 - allows a remote attacker to get sensitive device configuration details without a password.
- CVE-2019-1652 - allows a remote attacker to inject and run admin commands on the device without a password.
The current consensus is that attackers are using Davidson's proof-of-concept code to retrieve configuration details using CVE-2019-1652 and then using CVE-2019-1653 to run additional commands, taking full control over vulnerable devices.
"I would advise affected users to upgrade to firmware version 220.127.116.11 and change their device passwords immediately," said security researcher Troy Mursch, of Bad Packets LLC, who first spotted the scans on Friday.
"It's likely these routers will be targeted by miscreants for abuse, but to what degree yet is unknown. CVE-2019-1652 allows for further exploitation once the credentials are obtained," Mursch told ZDNet.
"I'm in agreement with this guy," Mursch added, pointing ZDNet to one of Davidson's tweets.
Mursch also used BinaryEdge, a search engine for internet-connected devices, to track down all the Cisco RV320 and RV325 routers that are vulnerable to these attacks.
After a night of investigating, the researcher tracked down 9,657 devices --of which 6,247 are Cisco RV320 routers, and the rest, 3,410, are Cisco RV325 routers.
Mursch has built an interactive map with the data he obtained, showing location of all infected hosts. The vast majority of these devices are located on the networks of US ISPs.
- US, UK warn of Russian hackers targeting millions of routers (CNET)
- Why router-based attacks could be the next big trend (TechRepublic)
"Due to the sensitive nature of these vulnerabilities, the IP addresses of the affected Cisco RV320/RV325 routers will not be published publicly. However, the list is freely available for authorized CERT teams to review. We've shared our findings directly with Cisco PSIRT and US-CERT for further investigation and remediation," Mursch wrote in a separate report published today.
As Mursch pointed out earlier in the article, the simplest way to mitigate these attacks would be to update the Cisco RV320 and RV325 router firmware. Get patchin'!
- Cisco's warning: Watch out for government hackers
- Cisco security: Russia, Iran switches hit by attackers
- Cisco fixes critical bug that exposed networks to hackers
More security coverage:
- DHS issues security alert about recent DNS hijacking attacks
- New ransomware strain is locking up Bitcoin mining rigs in China
- Concerns raised about WordPress' new 'White Screen Of Death' protection feature
- Malvertising campaign targets Apple users with malicious code hidden in images
- Chrome API update will kill a bunch of other extensions, not just ad blockers
- Internet experiment goes wrong, takes down a bunch of Linux routers
- Brave browser can now show ads, and soon you'll get 70% of the money CNET
- Why cryptojacking will become an even larger problem in 2019 TechRepublic