Cisco RV320/RV325 WAN Router Vulnerability Threatens Internet Providers And The Enterprise
- CVE-2019-1652: A vulnerability in the web-based management interface that could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands.
- CVE-2019-1653: A vulnerability in the web-based management interface that could allow an unauthenticated, remote attacker to retrieve sensitive information.
According to BleepingComputer, both vulnerabilities were discovered by German firm RedTeam Pentesting and were privately disclosed to Cisco, which prompted the company to release the above patches. However, things took a turn for the worst when a security researcher, David Davidson, decided to post a proof-of-concept [via GitHub] for chaining the two exploits together to initiate a successful attack against unpatched RV320 and RV325 routers.
The chances that all affected routers would be patched in a matter of just a few days is wishful thinking, which is why some rather resourceful hackers are already building on Davidson's work to obtain full control over the affected routers.
⚠️ WARNING ⚠️
— Bad Packets Report (@bad_packets) January 25, 2019
Incoming scans detected from multiple hosts checking for vulnerable Cisco RV320/RV325 routers.
A vulnerability in the web-based management interface of these routers could allow an unauthenticated, remote attacker to retrieve sensitive configuration information. pic.twitter.com/OhQD55WNZD
Thanks to an investigation by Bad Packets Report, it was discovered that nearly 9,700 Cisco routers are affected (the vast majority of which are located in the United States), with attackers having the potential to gain access to "an entire dump of the device's configuration settings" using CVE-2019-1653. Hackers also could gain access to administrator credentials, although password information is hashed.
However, when combined with CVE-2019-1652, remote code execution allows deeper access to device commands and the eventual full control of targeted devices.
At this point, the first course of action would be to of course apply Cisco's patches for the RV320 and RV325. The second move would be to change admin and Wi-Fi credentials as those details very well may have been leaked at this point.