CISCO-SA-20191106-RV0X2

Vulnerability from csaf_cisco - Published: 2019-11-06 16:00 - Updated: 2019-11-06 16:00
Summary
Cisco Small Business RV016, RV042, RV042G, and RV082 Routers Issues

Notes

Summary
Cisco firmware for certain Cisco Small Business RV Series Routers is affected by the following issues: Certificate and key issued to QNO Technology Hardcoded password hashes Multiple vulnerabilities in third-party software (TPS) components Certificate and Key Issued to QNO Technology An X.509 certificate with a corresponding public/private key pair was initially found in Cisco RV042 Dual WAN VPN Router firmware. This certificate is issued to third-party entity QNO Technology. The certificate and keys in question are part of the firmware for the following Cisco products: RV016 Multi-WAN VPN Router RV042 Dual WAN VPN Router RV042G Dual Gigabit WAN VPN Router RV082 Dual WAN VPN Router The certificate and keys were used for testing during the development of the firmware; they were never used for live functionality in any shipping version of the product. All shipping versions of the firmware for the affected products use dynamically created certificates instead. The inclusion of this certificate and keys in shipping software was an oversight by the development team for these routers. Cisco bug ID: CSCvq34370 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq34370"] Hardcoded Password Hashes The /etc/shadow file included in Cisco firmware for the following Cisco products contains hardcoded password hashes for the users root, cisco, and lldpd. RV016 Multi-WAN VPN Router RV042 Dual WAN VPN Router RV042G Dual Gigabit WAN VPN Router RV082 Dual WAN VPN Router The /etc/shadow file is not consulted during user authentication by the firmware. Instead, a dedicated alternate user database is used to authenticate users who log in to the web-based management interface of the affected routers. An attacker with access to the base operating system on an affected device could exploit this issue to obtain elevated privileges at the level of the root, cisco, or lldpd user. However, Cisco is not currently aware of a way to access the base operating system on these routers. Cisco bug ID: CSCvq34376 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq34376"] Multiple Vulnerabilities in Third-Party Software Components Third-party software (TPS) components in the firmware for the following products contain vulnerabilities: RV016 Multi-WAN VPN Router RV042 Dual WAN VPN Router RV042G Dual Gigabit WAN VPN Router RV082 Dual WAN VPN Router Cisco will handle these vulnerabilities by using the regular Cisco process for TPS vulnerabilities in accordance with the Cisco Security Vulnerability Policy ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#3psv"]. For information about known TPS vulnerabilities that affect the firmware for these routers, consult the Cisco Bug Search Tool ["https://bst.cloudapps.cisco.com/bugsearch/"].
Affected Products
These issues affect the following Cisco Small Business RV Series Routers when they are running a firmware release earlier than 4.2.3.10: RV016 Multi-WAN VPN Router1 RV042 Dual WAN VPN Router RV042G Dual Gigabit WAN VPN Router RV082 Dual WAN VPN Router1 1. The Cisco RV016 Multi-WAN VPN Router and RV082 Dual WAN VPN Router have reached the end of software maintenance. Products Confirmed Not Affected Only products listed in the Affected Products ["#ap"] section of this advisory are known to be affected by these issues. Updated Firmware Cisco removed the static certificates and keys as well as the hardcoded password hashes in firmware releases 4.2.3.10 and later for the Cisco RV042 Dual WAN VPN Router and RV042G Dual Gigabit WAN VPN Router. Customers can download the firmware from the Software Center ["https://software.cisco.com/download/navigator.html"] on Cisco.com by doing the following: Click Browse all. Choose Routers > Small Business Routers > Small Business RV Series Routers. Choose a specific product from the right pane of the product selector. Click Small Business Router Firmware.
Vulnerability Policy
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Source
Cisco would like to thank security researchers Stefan Viehböck and Thomas Weber of SEC Consult/IoT Inspector for reporting these issues.
Legal Disclaimer
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "summary": "Cisco would like to thank security researchers Stefan Viehb\u00f6ck and Thomas Weber of SEC Consult/IoT Inspector for reporting these issues."
      }
    ],
    "category": "csaf_informational_advisory",
    "csaf_version": "2.0",
    "notes": [
      {
        "category": "summary",
        "text": "Cisco firmware for certain Cisco Small Business RV Series Routers is affected by the following issues:\r\n\r\nCertificate and key issued to QNO Technology\r\nHardcoded password hashes\r\nMultiple vulnerabilities in third-party software (TPS) components\r\n  Certificate and Key Issued to QNO Technology\r\n\r\nAn X.509 certificate with a corresponding public/private key pair was initially found in Cisco RV042 Dual WAN VPN Router firmware. This certificate is issued to third-party entity QNO Technology.\r\n\r\nThe certificate and keys in question are part of the firmware for the following Cisco products:\r\n\r\nRV016 Multi-WAN VPN Router\r\nRV042 Dual WAN VPN Router\r\nRV042G Dual Gigabit WAN VPN Router\r\nRV082 Dual WAN VPN Router\r\n\r\nThe certificate and keys were used for testing during the development of the firmware; they were never used for live functionality in any shipping version of the product. All shipping versions of the firmware for the affected products use dynamically created certificates instead.\r\n\r\nThe inclusion of this certificate and keys in shipping software was an oversight by the development team for these routers.\r\n\r\nCisco bug ID: CSCvq34370 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq34370\"]\r\n\r\n  Hardcoded Password Hashes\r\n\r\nThe /etc/shadow file included in Cisco firmware for the following Cisco products contains hardcoded password hashes for the users root, cisco, and lldpd.\r\n\r\nRV016 Multi-WAN VPN Router\r\nRV042 Dual WAN VPN Router\r\nRV042G Dual Gigabit WAN VPN Router\r\nRV082 Dual WAN VPN Router\r\n\r\nThe /etc/shadow file is not consulted during user authentication by the firmware. Instead, a dedicated alternate user database is used to authenticate users who log in to the web-based management interface of the affected routers.\r\n\r\nAn attacker with access to the base operating system on an affected device could exploit this issue to obtain elevated privileges at the level of the root, cisco, or lldpd user. However, Cisco is not currently aware of a way to access the base operating system on these routers.\r\n\r\nCisco bug ID: CSCvq34376 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq34376\"]\r\n\r\n  Multiple Vulnerabilities in Third-Party Software Components\r\nThird-party software (TPS) components in the firmware for the following products contain vulnerabilities:\r\n\r\nRV016 Multi-WAN VPN Router\r\nRV042 Dual WAN VPN Router\r\nRV042G Dual Gigabit WAN VPN Router\r\nRV082 Dual WAN VPN Router\r\n\r\nCisco will handle these vulnerabilities by using the regular Cisco process for TPS vulnerabilities in accordance with the Cisco Security Vulnerability Policy [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#3psv\"]. For information about known TPS vulnerabilities that affect the firmware for these routers, consult the Cisco Bug Search Tool [\"https://bst.cloudapps.cisco.com/bugsearch/\"].",
        "title": "Summary"
      },
      {
        "category": "general",
        "text": "These issues affect the following Cisco Small Business RV Series Routers when they are running a firmware release earlier than 4.2.3.10:\r\n\r\nRV016 Multi-WAN VPN Router1\r\nRV042 Dual WAN VPN Router\r\nRV042G Dual Gigabit WAN VPN Router\r\nRV082 Dual WAN VPN Router1\r\n\r\n1. The Cisco RV016 Multi-WAN VPN Router and RV082 Dual WAN VPN Router have reached the end of software maintenance.\r\n  Products Confirmed Not Affected\r\nOnly products listed in the Affected Products [\"#ap\"] section of this advisory are known to be affected by these issues.\r\n  Updated Firmware\r\nCisco removed the static certificates and keys as well as the hardcoded password hashes in firmware releases 4.2.3.10 and later for the Cisco RV042 Dual WAN VPN Router and RV042G Dual Gigabit WAN VPN Router.\r\n\r\nCustomers can download the firmware from the Software Center [\"https://software.cisco.com/download/navigator.html\"] on Cisco.com by doing the following:\r\n\r\nClick Browse all.\r\nChoose Routers \u003e Small Business Routers \u003e Small Business RV Series Routers.\r\nChoose a specific product from the right pane of the product selector.\r\nClick Small Business Router Firmware.",
        "title": "Affected Products"
      },
      {
        "category": "general",
        "text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
        "title": "Vulnerability Policy"
      },
      {
        "category": "general",
        "text": "Cisco would like to thank security researchers Stefan Viehb\u00f6ck and Thomas Weber of SEC Consult/IoT Inspector for reporting these issues.",
        "title": "Source"
      },
      {
        "category": "legal_disclaimer",
        "text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.",
        "title": "Legal Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "Emergency Support:\r\n+1 877 228 7302 (toll-free within North America)\r\n+1 408 525 6532 (International direct-dial)\r\nNon-emergency Support:\r\nEmail: psirt@cisco.com\r\nSupport requests that are received via e-mail are typically acknowledged within 48 hours.",
      "issuing_authority": "Cisco product security incident response is the responsibility of the Cisco Product Security Incident Response Team (PSIRT). The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks. The on-call Cisco PSIRT works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks.\r\nMore information can be found in Cisco Security Vulnerability Policy available at https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html",
      "name": "Cisco",
      "namespace": "https://wwww.cisco.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "Cisco Small Business RV016, RV042, RV042G, and RV082 Routers Issues",
        "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-rv0x2"
      },
      {
        "category": "external",
        "summary": "Cisco Security Vulnerability Policy",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
      },
      {
        "category": "external",
        "summary": "CSCvq34370",
        "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq34370"
      },
      {
        "category": "external",
        "summary": "CSCvq34376",
        "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq34376"
      },
      {
        "category": "external",
        "summary": "Cisco Bug Search Tool",
        "url": "https://bst.cloudapps.cisco.com/bugsearch/"
      },
      {
        "category": "external",
        "summary": "Software Center",
        "url": "https://software.cisco.com/download/navigator.html"
      },
      {
        "category": "external",
        "summary": "Security Vulnerability Policy",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
      }
    ],
    "title": "Cisco Small Business RV016, RV042, RV042G, and RV082 Routers Issues",
    "tracking": {
      "current_release_date": "2019-11-06T16:00:00+00:00",
      "generator": {
        "date": "2022-09-03T03:37:45+00:00",
        "engine": {
          "name": "TVCE"
        }
      },
      "id": "cisco-sa-20191106-rv0x2",
      "initial_release_date": "2019-11-06T16:00:00+00:00",
      "revision_history": [
        {
          "date": "2019-11-06T15:33:57+00:00",
          "number": "1.0.0",
          "summary": "Initial public release."
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_family",
            "name": "Cisco Small Business RV Series Router Firmware",
            "product": {
              "name": "Cisco Small Business RV Series Router Firmware ",
              "product_id": "CSAFPID-183630"
            }
          }
        ],
        "category": "vendor",
        "name": "Cisco"
      }
    ]
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.