Two recently patched vulnerabilities that allow remote unauthenticated information disclosure and remote code execution are being targeted by cybercriminals.
Ongoing malicious scanning activity is targeting Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers, with an increase in opportunistic probes targeting vulnerable devices since Friday.
According to honeypot data from Bad Packets Report, cybercriminals are targeting a pair of recently patched vulnerabilities that allow remote unauthenticated information disclosure and remote code execution on routers. The firm discovered that more than 9,000 routers are vulnerable to attack.
The first flaw exists in the web-based management interface for RV320/RV325; a simple GET request for /cgi-bin/config.exp returns complete configuration settings for the device, including administrator credentials (the password is hashed though).
This could allow an unauthenticated, remote attacker to obtain sensitive configuration information, researcher Troy Mursch explained in a weekend advisory. This vulnerability exposes all router configuration information for the RV320/RV25 models.
Bad Packets Report’s BinaryEdge scans of 15,309 unique IPv4 hosts revealed that 9,657 Cisco RV320/RV25 routers are vulnerable to CVE-2019-1653: Remote code execution. It breaks down to 6,247 vulnerable Cisco RV320 routers out of 9,852 scanned, and 3,410 vulnerable Cisco RV325 routers out of 5,457 scanned.
Mursch stated that the majority of these are located in the United States, but that vulnerable device were discovered in 122 countries and on the networks of 1,619 different ISPs, creating a significant global attack surface.
After logging in with administrative credentials, an attacker can further exploit the router. The CVE-2019-1652 flaw allows an authenticated, remote attacker with administrative privileges to execute arbitrary commands on a vulnerable device. The vulnerability is caused by improper input validation from the user.
According to Cisco’s documentation, “an attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of a vulnerable device.” “A successful exploit could permit an attacker to execute arbitrary commands as root on the underlying Linux shell.”
David Davidson, a researcher and grey hat, described a proof-of-concept for remote code execution, but Mursch noted that there are mitigating circumstances.
“It is currently unknown how compromised routers will be exploited,” he explained to us. “At this time, I can only confirm that threat actors are scraping leaked configuration files and credentials to compile an inventory of vulnerable devices. Due to the capabilities (or lack thereof) identified by David Davidson, the actual amount of damage may be restricted. Time alone will tell”
Davidson’s tweet provided clarification:
Essentially, anyone without a patch is probably doomed. except for the fact that ‘wget’ on these machines is broken half the time and it’s probably beyond the ability of the average schmuck to cross-compile their mirai bot for the proper mips64rev2 shite (for now)
— an individual (@info dox) on January 26, 2019
Notably, the SSID is also disclosed as a result of the vulnerability.
“This allows attackers to determine the physical location of the router using services such as WiGLE,” Mursch told us.
Mursch noted that this was also the case with the recent Orange Livebox vulnerability. This means that an attacker can conduct a variety of on-site proximity attacks, and it also facilitates the creation of botnets, as many administrators use the same credentials for the administrative panel and the WiFi network — allowing for the enslavement of more devices.
The flaws affect Cisco RV320/RV325 routers with firmware versions 184.108.40.206 and 220.127.116.11. Administrators should immediately apply Cisco’s patch and change the admin and WiFi credentials for their devices to prevent any potential compromises.