Trending CVEs for the Week of March 4th, 2019
Updates on Drupal (CVE-2019-6340) & A New Improper Input Validation Flaw Leading to RCE in Cisco Routers (CVE-2019-1663)
The improper input validation flaw leading to remote code execution (RCE) in Drupal (CVE-2019-6340), which we covered in detail last week, is still trending this week. This is not surprising considering the prevalence of Drupal, the importance of websites relying on the Drupal platform (including governments, large media corporations, and universities), and the reports of the vulnerability being weaponized within three days of announcement – with threat actors attempting to exploit it in the wild to deliver cryptocurrency miners and other payloads.
Since our last week’s post, security firm Cloudflare has detailed how they developed and deployed a Web Application Firewall (WAF) rule to detect those attackers. The pattern they saw was “fairly typical of a newly announced vulnerability” – within 48 hours from the Drupal announcement, they noticed attackers, first in small numbers, with test payloads to identify whether the attacks work, but shortly afterwards in much higher numbers, and with more dangerous and subtle payloads.
For details on how to fix or mitigate this vulnerability, please refer to our original post.
There is another recent vulnerability that we wanted to bring your attention to this week, and a close second in social media mentions, CVE-2019-1663 – affecting a range of Cisco products.
CVE-2019-1663 is a vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router that could allow unauthenticated remote attackers to execute arbitrary code on an affected device. If it rings a bell, it may be because we covered another set of RCE vulnerabilities in (another group of) Cisco routers only a few weeks ago.
It is yet another vulnerability due to improper validation of user-supplied data. It could be exploited by sending malicious HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user.
According to Cisco, security researchers announced the discovery of this vulnerability, without any technical details or mention of the affected products, at the GeekPwn Shanghai conference on October 24-25, 2018. The vulnerability was publicly disclosed in Cisco Security Advisory on 2/27/2019. It was published in the NVD a day later and assigned the maximum severity (CVSS v2 Base Score of 10.0): it is easy to exploit, bypasses all authentication procedures, and routers can be attacked remotely.
- Cisco RV110W Wireless-N VPN Firewall versions prior to 22.214.171.124
- Cisco RV130W Wireless-N Multifunction VPN Router versions prior to 126.96.36.199
- Cisco RV215W Wireless-N VPN Router versions prior to 188.8.131.52
These are WiFi routers touting highly secure connectivity for small offices and as such are mostly deployed in small businesses and residential homes.
Exploitation and Risk
According to Rapid7, there are just under 12,000 exposed devices worldwide – mostly found on residential or small business ISP networks, and all of these devices are vulnerable unless they apply the available patch. ZdNet points out that the owners of these devices are less likely to patch than when vulnerabilities affect large corporate environments.
A proof-of-concept exploit was detailed in a blog post by Pen Test Partners, the group that is partially credited for originally disclosing this vulnerability to Cisco. They were very critical of Cisco, blaming the root cause of CVE-2019-1663 on using an infamously insecure function of the C programming language – strcpy.
As of the most recent update to the Cisco Advisory, Cisco is aware of ongoing active network scanning potentially targeting the vulnerability.
There are no workarounds, but Cisco has released software updates that address this vulnerability and upgrading to the newest version of the affected products is required to fix the issue.
Share your thoughts in our community!