Cisco acknowledged yesterday that it bungled a crucial patch for a vulnerability in two router models. The company’s shoddy initial patches allowed hackers to continue attacks throughout the past two months.
The security flaws impact Cisco RV320 and RV325 WAN VPN routers, two models popular with internet service providers and large enterprises.
Cisco patched two security flaws impacting RV320 and RV325 routers at the end of January. The two were:
- CVE-2019-1652 – allows a remote attacker to inject and run admin commands on the device without a password.
- CVE-2019-1653 – allows a remote attacker to get sensitive device configuration details without a password.
The two vulnerabilities came under active attacks after multiple security researchers released proof-of-concept code demonstrating how the bugs worked and how they could be abused to take over routers.
Around 10,000 of these high-powered devices were –and still are– accessible online and vulnerable to attacks.
Initially, it was believed that the Cisco patches would be enough to protect these vulnerable devices. However, yesterday, the security firm that initially discovered these bugs revealed that Cisco’s patches had been woefully incomplete [1, 2, 3].
The problem was that Cisco’s patch merely blacklisted curl, a popular command-line tool for transferring data online, which is also integrated into many internet scanners.
Cisco’s catastrophic thinking was that by blacklisting curl, they’d prevent attackers from discovering vulnerable routers and using the public exploits to take over devices.
The company’s engineers made this decision, as opposed to fixing the vulnerable code in the actual firmware, which would have been the proper way to handle this issue.
Troy Mursch, the co-founder of Bad Packets LLC, and the one who spotted the initial RV320/RV325 scans in January, told ZDNet that hackers never stopped searching for vulnerable devices.
Furthermore, many Cisco RV320/RV325 owners also didn’t bother applying the (faulty) Cisco patches, in the first place, meaning that most devices are still vulnerable to the original exploit code that was posted online in January.
But even if device owners applied the January patch, all an attacker has to do now is to switch to a non-curl scanner/exploit tool.
Cisco has not released new patches, at the time of this article’s writing, but merely acknowledged its snafu. The company didn’t provide a timeline for a proper patch’s arrival either.
The company also released 23 other security patches, most being fixes for the company’s IOS XE operating system. None was classified under a “critical” severity rating, and none was exploited in the wild.