Trending CVEs for the Week of January 28th, 2019
This week’s most talked about vulnerability is CVE-2019-1653. It is an information disclosure vulnerability affecting web-based management interface of Cisco Small Business RV320 and RV325 routers. It could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. It was discovered and privately disclosed to Cisco by a German security firm RedTeam Pentesting, along with a remote command injection flaw – CVE-2019-1652. The two vulnerabilities can be combined to allow a remote attacker to take full control of an affected Cisco router:
- CVE-2019-1653: Allows an unauthenticated remote attacker to reach the router’s web-based management portal, allowing retrieval of sensitive information including credentials and diagnostic information.
- CVE-2019-1652: Allows an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands on the system.
Both vulnerabilities were published in the NVD on 01/24/2019, where they are currently awaiting analysis (no CVSS score). Cisco Security Advisory lists CVSS Base Scores of 7.5 and 7.2 for CVE-2019-1653 and CVE-2019-1652, respectively.
According to Cisco Security Advisories:
- CVE-2019-1653 (information disclosure vulnerability) affects Cisco Small Business RV320 and RV325 WAN VPN Routers running firmware releases 126.96.36.199 and 188.8.131.52.
- CVE-2019-1652 (remote code execution vulnerability) affects Cisco Small Business RV320 and RV325 WAN VPN Routers running Firmware Releases 184.108.40.206 through 220.127.116.11.
Exploitation and Risk
Security researcher David Davidson published a proof-of-concept exploit for the two vulnerabilities on Github. The exploit retrieves configuration details using CVE-2019-1653 and then uses CVE-2019-1652 to execute arbitrary commands and gain complete control of the affected device.
Researchers from cybersecurity firm Bad Packets have found over 9,000 vulnerable Cisco routers worldwide, most of which located in the United States. They have shared an interactive map of these routers. Bad Packets also reported that its honeypots have detected network scanning activity for vulnerable routers from multiple hosts, suggesting that hackers are actively trying to exploit these flaws to take full control of the vulnerable routers.
Cisco has released free software updates that address the two vulnerabilities described above:
- Cisco fixed CVE-2019-1653 in RV320 and RV325 Dual Gigabit WAN VPN Routers Firmware Releases 18.104.22.168 and later.
- Cisco fixed CVE-2019-1652 in Releases 22.214.171.124 and later.