Two vulnerabilities have been disclosed in the Cisco’s Small Business Routers RV320 and RV325.
CVE-2019-1652: Routers Command Injection Vulnerability
A command injection vulnerability has been disclosed in Cisco Small Business routers RV320 and RV325 on firmware versions 1.4.2.15 through 1.4.2.19. CVE-2019-1652 has been assigned to track this vulnerability. An attacker can target this vulnerability by sending crafted HTTPS post request to the web management interface of the device. The attacker may need the device credentials to carry out the attack. Upon successful exploitation an attacker can execute arbitrary commands on the target device’s Linux shell as root. Cisco has addressed this vulnerability in advisory cisco-sa-20190123-rv-inject. PoC for said vulnerability is available on line.
Exploitation
To exploit this vulnerability the attacker would need a valid session cookie to the target device’s web management interface. The attacker crafts a custom HTTPS post that requests the device to generate a certificate, the function responsible for this operation is susceptible to command injection attacks. When it parses the request, attribute common_name can be manipulated to include a shell command that is executed by the target. This is a blind injection attack so we cannot see the output directly.
CVE-2019-1653:Cisco Router Information Disclosure Vulnerability
An Information disclosure vulnerability in Cisco routers, Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers on firmware versions 1.4.2.15 and 1.4.2.17. CVE-2019-1653 has been assigned to track this vulnerability. Upon successful exploitation an attacker can download the router configuration and diagnostic information. The vulnerability is due to improper enforcement of access controls for URLs. An attacker can target the device by connecting to it via specific URLs. Cisco has addressed this vulnerabilities in advisory cisco-sa-20190123-rv-info. PoC for said vulnerability is available on line.
Exploitation
To obtain the config file the attackers needs to be able to reach http(s)://<target IP>:<port>/cgi-bin/config.exp on the target, user authentication is not required to carry out this attack. The device responds with the config file that can be stored locally. A similar approach can be followed to obtain the debug files from the target device. The attackers needs to postsubmitdebugmsg": "1" to http(s)://<target IP>:<port>/cgi-bin/export_debug_msg.exp. The device responds with the encrypted debug files. The resulting file can be decrypted. We can obtain backups of /etc and /var.
Mitigation
Please apply the latest patches provided by Cisco to address these vulnerabilities. Qualys customers can scan their network with QID: 13405 to detect vulnerable devices. The QID sends an HTTP GET request to cgi-bin/config.exp page and looks for vulnerable response.
Please continue to follow Qualys Threat Protection for more information on vulnerabilities.
References
Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability
Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability
CVE-2019-1652
CVE-2019-1653
Cisco RV320 Command Injection
Cisco RV320 Unauthenticated Diagnostic Data Retrieval
Cisco RV320 Unauthenticated Configuration Export