CISCO-SA-20191106-RV32X

Vulnerability from csaf_cisco - Published: 2019-11-06 16:00 - Updated: 2019-11-06 16:00
Summary
Cisco Small Business RV320 and RV325 Dual Gigabit WAN Routers Issues

Notes

Summary
Cisco firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers is affected by the following issues: Static certificates and keys Hardcoded password hashes Multiple vulnerabilities in third-party software (TPS) components Static Certificates and Keys Two static X.509 certificates with the corresponding public/private key pairs and one static Secure Shell (SSH) host key were found in the firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers. One X.509 certificate was created by the OpenSSL Group for testing purposes and the second certificate is a test certificate created by Cisco. The X.509 certificates and keys in question are part of the firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers and were used for their intended testing purpose during the development of that firmware They were never used for live functionality in any shipping version of the product. All shipping versions of this firmware use dynamically created certificates instead. Cisco bug ID: CSCvq34465 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq34465"] The static SSH host key is part of the tail-f (now part of Cisco) Netconf ConfD package that is included in the firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers. It was never used for live functionality in any shipping version of the product. Key-based SSH authentication is not supported in any shipping version of this firmware. Cisco bug ID: CSCvq34469 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq34469"] The inclusion of these certificates and keys in shipping software was an oversight by the development team for these routers. Hardcoded Password Hashes The /etc/shadow file included in the firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers has a hardcoded password hash for the root user. The /etc/shadow file is not consulted during user authentication by the firmware. Instead, a dedicated alternate user database is used to authenticate users who log in to either the CLI or the web-based management interface of the affected routers. An attacker with access to the base operating system on an affected device could exploit this issue to obtain root-level privileges. However, Cisco is not currently aware of a way to access the base operating system on these routers. Cisco bug ID: CSCvq34472 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq34472"] Multiple Vulnerabilities in Third-Party Software Components Third-party software (TPS) components in the firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers contain vulnerabilities. Cisco will handle these vulnerabilities by using the regular Cisco process for TPS vulnerabilities in accordance with the Cisco Security Vulnerability Policy ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#3psv"]. For information about known TPS vulnerabilities that affect the firmware for these routers, consult the Cisco Bug Search Tool ["https://bst.cloudapps.cisco.com/bugsearch/"].
Affected Products
These issues affect Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers when they are running a firmware release earlier than 1.5.1.05. Products Confirmed Not Affected Only products listed in the Affected Products ["#ap"] section of this advisory are known to be affected by these issues. Updated Firmware Cisco removed the static certificates and keys and the hardcoded user account in firmware releases 1.5.1.05 and later for the Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers. Customers can download the firmware from the Software Center on Cisco.com by doing the following: Click Browse all. Choose Routers > Small Business Routers > Small Business RV Series Routers. Choose a specific product from the right pane of the product selector. Click Small Business Router Firmware.
Vulnerability Policy
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Source
Cisco would like to thank security researchers Stefan Viehböck and Thomas Weber of SEC Consult/IoT Inspector for reporting these issues.
Legal Disclaimer
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "summary": "Cisco would like to thank security researchers Stefan Viehb\u00f6ck and Thomas Weber of SEC Consult/IoT Inspector for reporting these issues."
      }
    ],
    "category": "csaf_informational_advisory",
    "csaf_version": "2.0",
    "notes": [
      {
        "category": "summary",
        "text": "Cisco firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers is affected by the following issues:\r\n\r\nStatic certificates and keys\r\nHardcoded password hashes\r\nMultiple vulnerabilities in third-party software (TPS) components\r\n  Static Certificates and Keys\r\nTwo static X.509 certificates with the corresponding public/private key pairs and one static Secure Shell (SSH) host key were found in the firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers. One X.509 certificate was created by the OpenSSL Group for testing purposes and the second certificate is a test certificate created by Cisco.\r\n\r\nThe X.509 certificates and keys in question are part of the firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers and were used for their intended testing purpose during the development of that firmware They were never used for live functionality in any shipping version of the product. All shipping versions of this firmware use dynamically created certificates instead.\r\n\r\nCisco bug ID: CSCvq34465 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq34465\"]\r\n\r\nThe static SSH host key is part of the tail-f (now part of Cisco) Netconf ConfD package that is included in the firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers. It was never used for live functionality in any shipping version of the product. Key-based SSH authentication is not supported in any shipping version of this firmware.\r\n\r\nCisco bug ID: CSCvq34469 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq34469\"]\r\n\r\nThe inclusion of these certificates and keys in shipping software was an oversight by the development team for these routers.\r\n  Hardcoded Password Hashes\r\nThe /etc/shadow file included in the firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers has a hardcoded password hash for the root user.\r\n\r\nThe /etc/shadow file is not consulted during user authentication by the firmware. Instead, a dedicated alternate user database is used to authenticate users who log in to either the CLI or the web-based management interface of the affected routers.\r\n\r\nAn attacker with access to the base operating system on an affected device could exploit this issue to obtain root-level privileges. However, Cisco is not currently aware of a way to access the base operating system on these routers.\r\n\r\nCisco bug ID: CSCvq34472 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq34472\"]\r\n  Multiple Vulnerabilities in Third-Party Software Components\r\nThird-party software (TPS) components in the firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers contain vulnerabilities. Cisco will handle these vulnerabilities by using the regular Cisco process for TPS vulnerabilities in accordance with the Cisco Security Vulnerability Policy [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#3psv\"]. For information about known TPS vulnerabilities that affect the firmware for these routers, consult the Cisco Bug Search Tool [\"https://bst.cloudapps.cisco.com/bugsearch/\"].",
        "title": "Summary"
      },
      {
        "category": "general",
        "text": "These issues affect Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers when they are running a firmware release earlier than 1.5.1.05.\r\n  Products Confirmed Not Affected\r\nOnly products listed in the Affected Products [\"#ap\"] section of this advisory are known to be affected by these issues.\r\n  Updated Firmware\r\nCisco removed the static certificates and keys and the hardcoded user account in firmware releases 1.5.1.05 and later for the Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers.\r\n\r\nCustomers can download the firmware from the Software Center on Cisco.com by doing the following:\r\n\r\nClick Browse all.\r\nChoose Routers \u003e Small Business Routers \u003e Small Business RV Series Routers.\r\nChoose a specific product from the right pane of the product selector.\r\nClick Small Business Router Firmware.",
        "title": "Affected Products"
      },
      {
        "category": "general",
        "text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
        "title": "Vulnerability Policy"
      },
      {
        "category": "general",
        "text": "Cisco would like to thank security researchers Stefan Viehb\u00f6ck and Thomas Weber of SEC Consult/IoT Inspector for reporting these issues.",
        "title": "Source"
      },
      {
        "category": "legal_disclaimer",
        "text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.",
        "title": "Legal Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "Emergency Support:\r\n+1 877 228 7302 (toll-free within North America)\r\n+1 408 525 6532 (International direct-dial)\r\nNon-emergency Support:\r\nEmail: psirt@cisco.com\r\nSupport requests that are received via e-mail are typically acknowledged within 48 hours.",
      "issuing_authority": "Cisco product security incident response is the responsibility of the Cisco Product Security Incident Response Team (PSIRT). The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks. The on-call Cisco PSIRT works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks.\r\nMore information can be found in Cisco Security Vulnerability Policy available at https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html",
      "name": "Cisco",
      "namespace": "https://wwww.cisco.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "Cisco Small Business RV320 and RV325 Dual Gigabit WAN Routers Issues",
        "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-rv32x"
      },
      {
        "category": "external",
        "summary": "Cisco Security Vulnerability Policy",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
      },
      {
        "category": "external",
        "summary": "CSCvq34465",
        "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq34465"
      },
      {
        "category": "external",
        "summary": "CSCvq34469",
        "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq34469"
      },
      {
        "category": "external",
        "summary": "CSCvq34472",
        "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq34472"
      },
      {
        "category": "external",
        "summary": "Cisco\u0026nbsp;Security Vulnerability Policy",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#3psv"
      },
      {
        "category": "external",
        "summary": "Cisco\u0026nbsp;Bug Search Tool",
        "url": "https://bst.cloudapps.cisco.com/bugsearch/"
      },
      {
        "category": "external",
        "summary": "Security Vulnerability Policy",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
      }
    ],
    "title": "Cisco Small Business RV320 and RV325 Dual Gigabit WAN Routers Issues",
    "tracking": {
      "current_release_date": "2019-11-06T16:00:00+00:00",
      "generator": {
        "date": "2022-09-03T03:37:44+00:00",
        "engine": {
          "name": "TVCE"
        }
      },
      "id": "cisco-sa-20191106-rv32x",
      "initial_release_date": "2019-11-06T16:00:00+00:00",
      "revision_history": [
        {
          "date": "2019-11-06T15:34:39+00:00",
          "number": "1.0.0",
          "summary": "Initial public release."
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_family",
            "name": "Cisco Small Business RV Series Router Firmware",
            "product": {
              "name": "Cisco Small Business RV Series Router Firmware ",
              "product_id": "CSAFPID-183630"
            }
          }
        ],
        "category": "vendor",
        "name": "Cisco"
      }
    ]
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.