Jump to content

*crushes Scanner* It's over 9000 - Thousands of Cisco Routers vulnerable to configuration + credential leak and RCE

rcmaehl

Source:

ZDNet

BadPackets (Map)

 

Summary: 

Honeypots have detected scanning by malicious attackers trying to exploit newly announced CVE-2019-1653. This CVE notes how affected Cisco Routers can leak their configuration file and credentials which can lead to remote code execution aka CVE-2019-1652.

 

Media:

Of the vulnerable routers found, most were located in the United States.

All configuration details of the RV320/RV325 router are exposed by this vulnerability.

 

Quotes/Excerpts:

Quote

Honeypots detected opportunistic scanning activity from multiple hosts targeting Cisco Small Business...routers. A vulnerability exists in these routers that allow remote unauthenticated information disclosure (CVE-2019-1653) leading to remote code execution (CVE-2019-1652). These scans consisted of a GET request for...the path that allows unauthenticated remote users to obtain an entire dump of the device’s configuration settings. This includes the administrator credentials, however the password is hashed. Using data provided by BinaryEdge, we’ve scanned  15,309 unique IPv4 hosts and determined 9,657 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653. Overall, vulnerable devices were found in 122 countries and on the network of 1,619 unique internet service providers. These routers can be exploited further using the leaked credentials resulting in remote code execution. These vulnerabilities affect Cisco RV320/RV325 routers running firmware releases 1.4.2.15 and 1.4.2.17. Cisco has released a patch for these routers that should be applied immediately by anyone using outdated firmware. Changing the device’s admin and WiFi credentials is also highly recommended as they may already be compromised. Due to the sensitive nature of these vulnerabilities, the IP addresses of the affected Cisco RV320/RV325 routers will not be published publicly. However, the list is freely available for authorized CERT teams to review. We’ve shared our findings directly with Cisco PSIRT and US-CERT for further investigation and remediation.

 

My Thoughts:
This is definitely bad. Not only does this provide a foothold within a network, it allow potentially allows access to other systems using the same credentials as the Cisco Router. While I'd surely hope those running enterprise level devices wouldn't reuse passwords, I can say that password reuse is unfortunately rampant even amount the security conscious of users. 

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 2700X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 48GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites

Link to post
Share on other sites

4 minutes ago, rcmaehl said:

This is definitely bad.

You got that one right ;)

CPU: Intel Core i7-950 Motherboard: Gigabyte GA-X58A-UD3R CPU Cooler: NZXT HAVIK 140 RAM: Corsair Dominator DDR3-1600 (1x2GB), Crucial DDR3-1600 (2x4GB), Crucial Ballistix Sport DDR3-1600 (1x4GB) GPU: ASUS GeForce GTX 770 DirectCU II 2GB SSD: Samsung 860 EVO 2.5" 1TB HDDs: WD Green 3.5" 1TB, WD Blue 3.5" 1TB PSU: Corsair AX860i & CableMod ModFlex Cables Case: Fractal Design Meshify C TG (White) Fans: 2x Dynamic X2 GP-12 Monitors: LG 24GL600F, Samsung S24D390 Keyboard: Logitech G710+ Mouse: Logitech G502 Proteus Spectrum Mouse Pad: Steelseries QcK Audio: Bose SoundSport In-Ear Headphones

Link to comment
Share on other sites

Link to post
Share on other sites

7 minutes ago, rcmaehl said:

Cisco has released a patch for these routers that should be applied immediately by anyone using outdated firmware

-If you are using outdated firmware

-Cisco already patched it

 

Its not as bad but people should be updating their device asap seeing how this is a VPN based router and the VPN creds are hashed in config.

Link to comment
Share on other sites

Link to post
Share on other sites

What I find interesting is it's mentioned to only impact 1.4.2.15 and 1.4.2.17 firmware but there is no mention of .19 firmware which was released early 2018.

 

 

Edit:

It looks like the 2018 (.19) firmware is fixed as well.

Current Network Layout:

Current Build Log/PC:

Prior Build Log/PC:

Link to comment
Share on other sites

Link to post
Share on other sites

11 minutes ago, mynameisjuan said:

-If you are using outdated firmware

-Cisco already patched it

 

Its not as bad but people should be updating their device asap seeing how this is a VPN based router and the VPN creds are hashed in config.

 

11 minutes ago, Lurick said:

What I find interesting is it's mentioned to only impact 1.4.2.15 and 1.4.2.17 firmware but there is no mention of .19 firmware which was released early 2018.

 

 

Edit:

It looks like the 2018 (.19) firmware is fixed as well.

 

Still over 9000 affected devices. People don't update as often as they should.

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 2700X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 48GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites

Link to post
Share on other sites

2 minutes ago, rcmaehl said:

Still over 9000 affected devices. People don't update as often as they should.

Well to update that requires a reboot and since this model is primarily for businesses that mean updating is at a minimum. I guarantee these are smaller businesses and dealing with them often they feel as those it has to be up 24/7 and cannot have down time. 

 

I see this constantly. People just dont update their shit, even professionals. 

Link to comment
Share on other sites

Link to post
Share on other sites

8 minutes ago, GoldenLag said:

Dammit. The 9 year olds didnt get to it first and started to spam Subscribe to PewDiePie. 

It's the final countdown

 

 

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 2700X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 48GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites

Link to post
Share on other sites

4 minutes ago, rcmaehl said:

It's the final countdown

 

 

On infinite repeat.

He was sub 20k.

*Jumps to million

He is sub 100k

*Jumps to 300k

Link to comment
Share on other sites

Link to post
Share on other sites

55 minutes ago, rcmaehl said:

 

 

Still over 9000 affected devices. People don't update as often as they should.

That is 9000 out of the 15,309 that they scanned, scheduling update can be tricky sometimes

47 minutes ago, mynameisjuan said:

Well to update that requires a reboot and since this model is primarily for businesses that mean updating is at a minimum. I guarantee these are smaller businesses and dealing with them often they feel as those it has to be up 24/7 and cannot have down time. 

 

I see this constantly. People just dont update their shit, even professionals. 

To be honest, I had a router almost break on a firmware update before.  (What was suppose to be a 5 minute downtime turned into 5 hours before getting the device back online, reconfigured and the servers running everything they had missed).  When replacing a router once with, they were suppose to run in unison for a while...but the older device had to be reset...it never came back online.

 

Restarting any equipment that runs 24/7 can be tricky when you don't have any backup equipment to fall back to if it doesn't go well, and speaking from experience if things go wrong during the update it can literally be your job on the line (for when things fail) at a smaller business

3735928559 - Beware of the dead beef

Link to comment
Share on other sites

Link to post
Share on other sites

Does this affect the routers that Linus was talking about a few months ago?

Specs: Motherboard: Asus X470-PLUS TUF gaming (Yes I know it's poor but I wasn't informed) RAM: Corsair VENGEANCE® LPX DDR4 3200Mhz CL16-18-18-36 2x8GB

            CPU: Ryzen 9 5900X          Case: Antec P8     PSU: Corsair RM850x                        Cooler: Antec K240 with two Noctura Industrial PPC 3000 PWM

            Drives: Samsung 970 EVO plus 250GB, Micron 1100 2TB, Seagate ST4000DM000/1F2168 GPU: EVGA RTX 2080 ti Black edition

Link to comment
Share on other sites

Link to post
Share on other sites

8 minutes ago, wanderingfool2 said:

To be honest, I had a router almost break on a firmware update before.  (What was suppose to be a 5 minute downtime turned into 5 hours before getting the device back online, reconfigured and the servers running everything they had missed).  When replacing a router once with, they were suppose to run in unison for a while...but the older device had to be reset...it never came back online.

We have had plenty of devices fail or just lose half it functionality after an update. Its going to happen and its why redundancy is needed in any business that needs that uptime. I am definitely not saying there is never problems.

 

9 minutes ago, wanderingfool2 said:

if things go wrong during the update it can literally be your job on the line (for when things fail) at a smaller business

And this is where small businesses that dont understand tech but rely on it will slowly fail. Things shouldnt be updated all willy nilly during working hours because why not, they should be planned and workers should be at least notified so if there is a problem they should be expecting it. 

 

The problem is if an update breaks something, people who dont understand it will blame the IT guy and yeah, he could lose his job which is a fucking dick move of the company. We honestly should be able to sue for unlawful termination.  

Link to comment
Share on other sites

Link to post
Share on other sites

I wonder where Germany is in that List.

Its not on there...

 

Means this piece of Hardware isn't really sold to Germans?

Well, that is possible as most Germans use Fritz! Boxes (for good or for bad)...

"Hell is full of good meanings, but Heaven is full of good works"

Link to comment
Share on other sites

Link to post
Share on other sites

3 hours ago, rcmaehl said:

 Using data provided by BinaryEdge, we’ve scanned  15,309 unique IPv4 hosts and determined 9,657 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653. Overall, vulnerable devices were found in 122 countries and on the network of 1,619 unique internet service providers.

My personal favorite version of this meme:

Spoiler

Image result for it's over 9000 league

"Put as much effort into your question as you'd expect someone to give in an answer"- @Princess Luna

Make sure to Quote posts or tag the person with @[username] so they know you responded to them!

 RGB Build Post 2019 --- Rainbow 🦆 2020 --- Velka 5 V2.0 Build 2021

Purple Build Post ---  Blue Build Post --- Blue Build Post 2018 --- Project ITNOS

CPU i7-4790k    Motherboard Gigabyte Z97N-WIFI    RAM G.Skill Sniper DDR3 1866mhz    GPU EVGA GTX1080Ti FTW3    Case Corsair 380T   

Storage Samsung EVO 250GB, Samsung EVO 1TB, WD Black 3TB, WD Black 5TB    PSU Corsair CX750M    Cooling Cryorig H7 with NF-A12x25

Link to comment
Share on other sites

Link to post
Share on other sites

5 hours ago, williamcll said:

Does this affect the routers that Linus was talking about a few months ago?

Not sure which you are referring to

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 2700X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 48GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites

Link to post
Share on other sites

OH yeah Cisco stuff is definitely safer to use than Huawei stuff

 

/s

GUITAR BUILD LOG FROM SCRATCH OUT OF APPLEWOOD

 

- Ryzen Build -

R5 3600 | MSI X470 Gaming Plus MAX | 16GB CL16 3200MHz Corsair LPX | Dark Rock 4

MSI 2060 Super Gaming X

1TB Intel 660p | 250GB Kingston A2000 | 1TB Seagate Barracuda | 2TB WD Blue

be quiet! Silent Base 601 | be quiet! Straight Power 550W CM

2x Dell UP2516D

 

- First System (Retired) -

Intel Xeon 1231v3 | 16GB Crucial Ballistix Sport Dual Channel | Gigabyte H97 D3H | Gigabyte GTX 970 Gaming G1 | 525 GB Crucial MX 300 | 1 TB + 2 TB Seagate HDD
be quiet! 500W Straight Power E10 CM | be quiet! Silent Base 800 with stock fans | be quiet! Dark Rock Advanced C1 | 2x Dell UP2516D

Reviews: be quiet! Silent Base 800 | MSI GTX 950 OC

 

Link to comment
Share on other sites

Link to post
Share on other sites

6 hours ago, rcmaehl said:

Not sure which you are referring to

 

Specs: Motherboard: Asus X470-PLUS TUF gaming (Yes I know it's poor but I wasn't informed) RAM: Corsair VENGEANCE® LPX DDR4 3200Mhz CL16-18-18-36 2x8GB

            CPU: Ryzen 9 5900X          Case: Antec P8     PSU: Corsair RM850x                        Cooler: Antec K240 with two Noctura Industrial PPC 3000 PWM

            Drives: Samsung 970 EVO plus 250GB, Micron 1100 2TB, Seagate ST4000DM000/1F2168 GPU: EVGA RTX 2080 ti Black edition

Link to comment
Share on other sites

Link to post
Share on other sites

11 hours ago, mynameisjuan said:

We have had plenty of devices fail or just lose half it functionality after an update. Its going to happen and its why redundancy is needed in any business that needs that uptime. I am definitely not saying there is never problems.

 

And this is where small businesses that dont understand tech but rely on it will slowly fail. Things shouldnt be updated all willy nilly during working hours because why not, they should be planned and workers should be at least notified so if there is a problem they should be expecting it. 

 

The problem is if an update breaks something, people who dont understand it will blame the IT guy and yeah, he could lose his job which is a fucking dick move of the company. We honestly should be able to sue for unlawful termination.  

Redundancy is a great concept (all vital links have both a dsl + cable provider, where I am at...in-case one does down), but sometimes it is hard to convince management for hardware redundancy.  After all, most people (at least I find) don't have a clue about computer hardware and trying to justify spending thousands of dollars on effectively spare equipment is an uphill battle and sometimes small businesses don't have the budget to have additional equipment.

3735928559 - Beware of the dead beef

Link to comment
Share on other sites

Link to post
Share on other sites

57 minutes ago, williamcll said:

 

No, these are wired routers. Not wireless.

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 2700X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 48GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites

Link to post
Share on other sites

15 hours ago, rcmaehl said:

These vulnerabilities affect Cisco RV320/RV325 routers running firmware releases 1.4.2.15 and 1.4.2.17. Cisco has released a patch for these routers that should be applied immediately by anyone using outdated firmware

At the time of discovery, was this an active firmware release? If so it makes it even scarier.

 

I'm sure for smart cyber-security specialists they would be aware if their systems were vulnerable and would organise a time to update the firmware after or before hours. Unfortunately, not everyone cyber-security specialist is 'smart', as I'm sure you'd be aware, I'd assume some would be outright lazy.

Link to comment
Share on other sites

Link to post
Share on other sites

5 hours ago, ZacoAttaco said:

At the time of discovery, was this an active firmware release? If so it makes it even scarier.

 

I'm sure for smart cyber-security specialists they would be aware if their systems were vulnerable and would organise a time to update the firmware after or before hours. Unfortunately, not everyone cyber-security specialist is 'smart', as I'm sure you'd be aware, I'd assume some would be outright lazy.

Active in the sense that it's available for download but not active in that it was the recommended firmware version.

The impacted versions are from 2017 only as well.

Current Network Layout:

Current Build Log/PC:

Prior Build Log/PC:

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×