Trending CVEs for the Week of January 28th, 2019

This week’s most talked about vulnerability is CVE-2019-1653. It is an information disclosure vulnerability affecting web-based management interface of Cisco Small Business RV320 and RV325 routers. It could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. It was discovered and privately disclosed to Cisco by a German security firm RedTeam Pentesting, along with a remote command injection flaw – CVE-2019-1652. The two vulnerabilities can be combined to allow a remote attacker to take full control of an affected Cisco router:

  • CVE-2019-1653: Allows an unauthenticated remote attacker to reach the router’s web-based management portal, allowing retrieval of sensitive information including credentials and diagnostic information.
  • CVE-2019-1652: Allows an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands on the system.

Both vulnerabilities were published in the NVD on 01/24/2019, where they are currently awaiting analysis (no CVSS score). Cisco Security Advisory lists CVSS Base Scores of 7.5 and 7.2 for CVE-2019-1653 and CVE-2019-1652, respectively.

Affected Products

According to Cisco Security Advisories:

  • CVE-2019-1653 (information disclosure vulnerability) affects Cisco Small Business RV320 and RV325 WAN VPN Routers running firmware releases 1.4.2.15 and 1.4.2.17.
  • CVE-2019-1652 (remote code execution vulnerability) affects Cisco Small Business RV320 and RV325 WAN VPN Routers running Firmware Releases 1.4.2.15 through 1.4.2.19.

Exploitation and Risk

Security researcher David Davidson published a proof-of-concept exploit for the two vulnerabilities on Github. The exploit retrieves configuration details using CVE-2019-1653 and then uses CVE-2019-1652 to execute arbitrary commands and gain complete control of the affected device.

Researchers from cybersecurity firm Bad Packets have found over 9,000 vulnerable Cisco routers worldwide, most of which located in the United States. They have shared an interactive map of these routers. Bad Packets also reported that its honeypots have detected network scanning activity for vulnerable routers from multiple hosts, suggesting that hackers are actively trying to exploit these flaws to take full control of the vulnerable routers.

Fixes

Cisco has released free software updates that address the two vulnerabilities described above:

  • Cisco fixed CVE-2019-1653 in RV320 and RV325 Dual Gigabit WAN VPN Routers Firmware Releases 1.4.2.19 and later.
  • Cisco fixed CVE-2019-1652 in Releases 1.4.2.20 and later.

References

Cisco Security Advisory for CVE-2019-1653

Cisco Security Advisory for CVE-2019-1652

RedTeam Pentesting Report

The Hacker News Report