Security researchers have found over 9,000 Cisco routers that are vulnerable to two serious bugs that Cisco released patches for this month.
Businesses are being urged to install Cisco’s updates detailed in its January 23 security advisories because of publicly available exploit code that could give attackers an easy route to rummaging through an organization’s network.
The two flaws affect the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers. Admins use it to configure router settings.
The information disclosure flaw, CVE-2019-1653, allows an unauthenticated remote attacker to obtain configuration files from the device, revealing sensitive configuration information as well as the administrator’s hashed password.
The other flaw, a remote command execution bug tracked as CVE-2019-165, allows an attacker to remotely execute commands on the device if the attacker has gained valid credentials.
The pair of bugs were reported by German pen-testing outfit RedTeam Pentesting GmbH, which described the risks to organisations.
“By downloading the configuration, attackers can obtain internal network configuration, VPN or IPsec secrets, as well as password hashes for the router’s user accounts, explained RedTeam Pentesting.
“Knowledge of a user’s password hash is sufficient to log into the router’s web interface. Any information obtained through exploitation of this vulnerability can be used to facilitate further compromise of the device itself or attached networks.”
Things became more dangerous for those using affected Cisco routers after Darren Martyn, a researcher at UK security firm Xiphos Research, who uses the handle 0x27, published exploit code for the bugs two days after Cisco’s advisory. While the disclosure should give cause for users to patch affected devices, it could help attackers breach organizations that haven’t installed the update.