Home & Office

Cisco: All these routers have the same embedded crypto keys, so update firmware

Cisco removes static encryption keys that were shared across its small-business routers.
Written by Liam Tung, Contributing Writer

Security researchers have found that the firmware for several Cisco small-business routers contains numerous security issues.

The problems include hardcoded password hashes as well as static X.509 certificates with the corresponding public-private key pairs and one static Secure Shell (SSH) host key.

The static keys are embedded in the routers firmware and are used for providing HTTPS and SSH access to the affected routers. The issue means all devices with the affected firmware use the same keys. 

Cisco admits it was an oversight by its developers, but downplayed the seriousness of the error because the certificates and keys were never intended for shipping products. 

SEE: 10 tips for new cybersecurity pros (free PDF)

Researchers Stefan Viehböck and Thomas Weber of SEC Consult/IoT Inspector found the static certificates and keys in the Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers. 

Cisco, in an informational advisory, explains that the researchers found two static X.509 certificates with the corresponding public-private key pairs and one static SSH host key in the devices' firmware. 

The certificates were used for testing purposes during the development of the firmware and were never used for live functionality in any shipping version of the products, according to Cisco. 

"The inclusion of these certificates and keys in shipping software was an oversight by the development team for these routers," Cisco said. 

Meanwhile, Cisco explains that the presence of the static SSH host key was due to the Cisco-owned Tail-f Netconf ConfD package that's included in the firmware. But Cisco says key-based SSH authentication isn't supported in any shipping version of this firmware. 

The researchers also found a hardcoded password hash for the root user in the firmware. 

"An attacker with access to the base operating system on an affected device could exploit this issue to obtain root-level privileges. However, Cisco is not currently aware of a way to access the base operating system on these routers," Cisco notes. 

Cisco says it removed the static certificates and keys and the hardcoded user account in firmware releases and later for the Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers.

The two researchers found similar issues in the firmware for Cisco Small Business RV series routers RV016, RV042, RV042G, and RV082 Routers. 

In this case, there was an X.509 certificate with a corresponding public/private key pair that was issued to Taiwanese networking equipment maker QNO Technology. 

Again, Cisco says it was an oversight by the team that developed these routers and that the keys were never used for live functionality in shipping products, which instead used dynamically created certificates. 

Cisco fixed this issue in firmware release, which also includes a fix for a newly disclosed high-severity bug affecting the RV016, RV042, RV042G, and RV082 routers. 

This bug did warrant the tracking identifier CVE-2019-15271 and has a severity score of 8.8 out of 10. A bug in the web interface of the routers could allow a remote attacker who has authenticated to execute malicious commands with root privileges. 

SEE: Cisco unifies its collaboration tools on one platform

Admins must update the firmware since there is no workaround. However, Cisco advises that admins can disable the remote management feature if it's not required for business. This disables the web interface. 

Cisco has also disclosed a command-injection vulnerability affecting the RV016, RV042, RV042G, RV082, RV320, and RV325 small-business routers.

It has also just detailed high-severity flaws affecting the Cisco Web Security Appliance, Cisco Wireless LAN Controller, the Webex Network Recording Player and Webex Player, the TelePresence Collaboration Endpoint, and the Cisco Prime Infrastructure and Evolved Programmable Network Manager. 

Details about these bugs and fixes can be found on Cisco's security advisories page

More on Cisco and network security

  • Cisco: These Wi-Fi access points are easily owned by remote hackers, so patch now  
  • Cisco warning: These routers running IOS have 9.9/10-severity security flaw
  • Patch now: Cisco IOS XE routers exposed to rare 10/10-severity security flaw  
  • Seriously? Cisco put Huawei X.509 certificates and keys into its own switches
  • New Cisco critical bugs: 9.8/10-severity Nexus security flaws need urgent update
  • Cisco critical-flaw warning: These two bugs in our data-center gear need patching now
  • Cisco alert: Patch this dangerous bug open to remote attacks via malicious ads
  • Thrangrycat flaw lets attackers plant persistent backdoors on Cisco gear
  • Cisco's warning: Patch now, critical SSH flaw affects Nexus 9000 fabric switches
  • Cisco warns over critical router flaw
  • Cisco: These are the flaws DNS hijackers are using in their attacks
  • Cisco bungled RV320/RV325 patches, routers still exposed to hacks
  • Cisco tells Nexus switch owners to disable POAP feature for security reasons
  • Cisco: Patch routers now against massive 9.8/10-severity security hole
  • How to improve cybersecurity for your business: 6 tips TechRepublic
  • New cybersecurity tool lets companies Google their systems for hackers CNET
  • Editorial standards