Remote access attacks allow authentication bypass and remote code execution
Cisco has just released urgent patches for their RV320 and RV325 WAN VPN routers. The patches resolve two critical vulnerabilities in the router’s firmware:
- CVE-2019-1653 – allows a remote attacker to get sensitive device configuration details without a password (including the hashed passwords for all users).
- CVE-2019-1652 – allows a remote attacker to inject and run admin commands on the device without a password.
Earlier this week, badpackets.net reported that over 9000 of these vulnerable devices were visible through the Shodan search engine.
The affected firmware releases are 184.108.40.206 and 220.127.116.11. Cisco has released a patch for these routers that should be applied immediately by anyone using outdated firmware. Changing the device’s admin and WiFi credentials is also highly recommended as they may already be compromised.
Serious design flaw uncovered in Cisco Small Business Switch authentication system
This report comes shortly after another critical Cisco vulnerability was disclosed in its Small Business Switches (200, 250, 300, 350, 350X, 500 and 500X series switches are all affected ). The vulnerability allows an attacker to bypass the user authentication mechanism and access the device with full admin rights. This vulnerability is not a code defect but rather a serious design flaw in that a default admin account is enabled by the operating system if no other accounts are present with a privilege level of 15. This default account cannot be disabled directly and it will automatically become available if no other level 15 accounts are configured on the device – without issuing any alerts to the administrator or showing up in any configuration listings i.e. it is an invisible account.
According to Cisco, “The default user account is defined in a software-internal data structure and is not visible in either the running configuration or the startup configuration of an affected device.”
No software patch is yet available for this vulnerability which affects all versions of the firmware.
To check if your device is vulnerable, the following command can be used:
Switch# show running-config | include privilege 15
If the output of this command is empty – the device is vulnerable.
To resolve the issue, add a new administrative user, using the instructions on the Cisco webpage here: