Public Exploit Scripts for Vulnerable Cisco Small Business RV320 and RV325 Devices Now Available

Tenable published a blog [1] today about two vulnerabilities in Cisco Small Business WAN VPN routers RV320 and RV325. Cisco published advisories for these and other vulnerabilities on January 23. The first is CVE-2019-1652 [2], a command injection vulnerability that exists in firmware versions 1.4.2.15 through 1.4.2.19. The second is CVE-2019-1653 [3], an information disclosure vulnerability that exists in firmware versions 1.4.2.15 and 1.4.2.17. Of the two vulnerabilities, CVE-2019-1653 requires no authentication to exploit, so a remote attacker can use it to easily retrieve sensitive information including the router’s configuration file, which includes MD5 hashed credentials as well as diagnostic information.

Two notable developments have emerged within the last day. First, a security researcher published a repository of exploit scripts on Github [4] to target these vulnerabilities. Second, Troy Mursch, who operates the Twitter handle @bad_packets, tweeted [5] that incoming scans probing for vulnerable versions of these devices have started.

Cisco has released software updates to address both of these vulnerabilities. These software updates can be retrieved from the Cisco Software Center [6] website.

Tenable will be publishing plugins for these vulnerabilities. They will appear here [7] as they’re released.

[1] https://www.tenable.com/blog/public-exploit-scripts-for-vulnerable-cisco-small-business-rv320-and-rv325-devices-now

[2] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject

[3] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info

[4] https://github.com/0x27/CiscoRV320Dump

[5] https://twitter.com/bad_packets/status/1088876712933306368

[6] https://software.cisco.com/download/home

[7] https://www.tenable.com/plugins/search?q=cves%3A(%22CVE-2019-1652%22%20OR%20%20%22CVE-2019-1653%22)&sort=&page=1