Cisco announced patches last week for a vulnerabilities in two of their routers that are rated High and scored over 7 each on the CVSS.
Which devices are affected?
At present it appears that only two models are affected: Cisco Small Business RV320 and the Cisco Small Business RV325. Ironically Cisco promote these on their website as:
RV320 … is an ideal choice for any small office or small business looking for performance, security, and reliability.Ouch
The official Cisco pages with the details can be found here:
How many devices are affected?
I did a search on Shodan (4th February 2019 21:20) which showed just under 20,000 of the devices identifiable via Shodan, as ever the challenge is how to identify the owners to warn them. The distribution globally is US-centric:
RV320 Devices on Shodan
RV325 Devices on Shodan
Just TWO DAYS after the patches were released, an exploit was posted online (GitHub: https://github.com/0x27/CiscoRV320Dump ) that can take advantage of these vulnerabilities, stating the following are all already possible:
- Dumping (Plaintext) Configuration File! (includes hashes for the webUI!)
- Dumping (Encrypted) Diagnostic/Debug Files! (including config, and the /etc and /var directories)
- Decrypting the encrypted Diagnostic/Debug Files! (yes, you get /etc/shadow!)
- Post-Authentication Remote Command Injection as root in the webUI!
The exploit is written in Python and so doesn’t require compiling, with an elegant well-written command line structure and detailed usage notes.
Obviously the incredibly small window of time between patch release and an exploit being reverse engineered from it is incredibly concerning. More worrying is that in the event of such a vulnerability being discovered, there is no clear channel for warning owners of devices.
Another big concern is that thousands of these devices could have been compromised and then patched by those that hacked them with a view to controlling the device for a long term gain rather than a short term hit.
This type of behaviour is increasing as IoT devices are brought in to botnets and state sponsored actors look for new avenues for persistent intelligence footholds.