Cisco Routers Targeted ... Again
-Charles Parker, II
The Cisco name is known across the globe and is highly regarded. A massive amount of engineering has been applied to the product line, and in this case their routers.
Targets
There were security researchers who detected the Cisco RV 320 and RV 325 WAN routers being scanned and the vulnerabilities attempted to be exploited. Specifically, this was aimed at the RV 320 with versions 1.4.2.15 through 1.4.2.19, and RV 325 versions 1.4.2.15 through 1.4.2.17. These hardware instances are used commonly with internet service providers (ISP) and large enterprises.
Attacks
The attacks started in earnest in January 2019. This just happened to coincide with researcher David Davidson releasing a proof-of-concept exploit for the targeted routers.
Vulnerabilities
The vulnerabilities driving these exploits were CVE-2019-1653 and CVE-2019-1652. The vulnerability cited in -1653 allows a remote attacker to get sensitive device configuration details without requiring a password. This allows the attacker to obtain hashed credentials. The vulnerability noted in -1652 allows the remote attacker to inject and run admin commands on the device without a password and control the targeted device.
Earlier, 6,247 RV 320 and 3,410 RV 325 routers were vulnerable. These were in 122 countries and 1,619 distinct ISPs. These were both reported to Cisco by RedTeam Pentesting from Germany.
Remediation
After the notification, naturally, the Cisco engineers worked on this. The end result was the patches were created and released in January 2019. This may have been fine, however, the attackers were using Davidson's PoC attack and adding other commands. This allowed the attackers to take full control over the noted Cisco devices. To alleviate the issue, users were recommended to upgrade to the firmware version 1.4.2.20. The users were also recommended to change their passwords. It was pertinent for the users to do this, or they may have an unwelcome surprise.
Resources
0x27. (2019, January 24). CVE-2019-1652/CVE-2019-165B exploits for dumping cisco rv320 configurations & debugging data and remote root exploit. Retrieved from https://githumb.com/0x27/CiscoRV320Dump
Cimpanu, C. (2019, January 27). Hackers are going after cisco RV320/RV325 routers using a new exploit. Retrieved from https://www.zdnet.com/article/hackers-are-going-after-cisco-rv320rv325-routers-using-a-new-exploit
Cisco. (2019, January 25). Cisco small business rv320 and rv 325 routers command injection vulnerability. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject
Kumar, M. (2019, January 28). New exploit threatens over 9,000 hackable cisco rv320/rv325 routers worldwide. Retrieved from https://thehackernews.com/2019/01/hacking-cisco-routers.html
No comments:
Post a Comment