5
MEDIUM

CVE-2019-1653

Published: 24/01/2019 Updated: 15/02/2019
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

Vulnerability Summary

Cisco RV320 and RV325 Routers CVE-2019-1653 Information Disclosure Vulnerability

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.

Cisco Small Business RV320 and RV325 Routers could allow a remote attacker to obtain sensitive information, caused by improper access controls for URLs in the web-based management interface. By requesting specific URLs, a remote attacker could exploit this vulnerability to obtain sensitive information.

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Access Complexity: LOW
Authentication: NONE
Access Vector: NETWORK
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Vulnerability Trend

Affected Products

Vendor Product Versions
CiscoRv320 Firmware1.4.2.15, 1.4.2.17
CiscoRv325 Firmware1.4.2.15, 1.4.2.17

Vendor Advisories

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information The vulnerability is due to improper access controls for URLs An attacker could exploit this vulnerability by connecting to an affected device ...

Exploits

# Exploit Title: 6coRV Exploit # Date: 01-26-2018 # Exploit Author: Harom Ramos [Horus] # Tested on: Cisco RV300/RV320 # CVE : CVE-2019-1653 import requests from requestspackagesurllib3exceptions import InsecureRequestWarning from fake_useragent import UserAgent def random_headers(): return dict({'user-agent': UserAgent()random}) def req ...

Mailing Lists

RedTeam Pentesting discovered that the Cisco RV320 router exposes sensitive diagnostic data without authentication through the device's web interface Versions affected include 14215 and 14217 ...
RedTeam Pentesting discovered that the configuration of a Cisco RV320 router may be exported without authentication through the device's web interface Affected versions include 14215 and 14217 ...
Cisco RV300 and RV320 suffer from an information disclosure vulnerability ...
Advisory: Cisco RV320 Unauthenticated Diagnostic Data Retrieval RedTeam Pentesting discovered that the Cisco RV320 router exposes sensitive diagnostic data without authentication through the device's web interface Details ======= Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others Affected Versions: 14215, 14217 Fixed Versi ...
Advisory: Cisco RV320 Unauthenticated Configuration Export RedTeam Pentesting discovered that the configuration of a Cisco RV320 router may be exported without authentication through the device's web interface Details ======= Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others Affected Versions: 14215, 14217 Fixed Versions: ...
Advisory: Cisco RV320 Unauthenticated Configuration Export RedTeam Pentesting discovered that the configuration of a Cisco RV320 router may be exported without authentication through the device's web interface Details ======= Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others Affected Versions: 14215, 14217 Fixed Versions: ...
Advisory: Cisco RV320 Unauthenticated Diagnostic Data Retrieval RedTeam Pentesting discovered that the Cisco RV320 router exposes sensitive diagnostic data without authentication through the device's web interface Details ======= Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others Affected Versions: 14215, 14217 Fixed Versi ...

Metasploit Modules

Cisco RV320/RV326 Configuration Disclosure

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.

msf > use auxiliary/gather/cisco_rv320_config
      msf auxiliary(cisco_rv320_config) > show actions
            ...actions...
      msf auxiliary(cisco_rv320_config) > set ACTION <action-name>
      msf auxiliary(cisco_rv320_config) > show options
            ...show and set options...
      msf auxiliary(cisco_rv320_config) > run

Github Repositories

CVE-2019-1653 NSE script to scan for Cisco routers vulnerable to CVE-2019-1653 Usage: nmap --script cve_2019_1653 -p 443 &lt;host&gt;

CiscoRV320Dump CVE-2019-1653/CVE-2019-1652 Exploits For Dumping Cisco RV320 Configurations and getting RCE Implementations of the CVE-2019-1652 and CVE-2019-1653 exploits disclosed by Red Team Pentesting GmbH Exploits Config Dumper Exploit For the configuration dump exploit, just set target, port, ssl on/off, and output directory It will dump the configuration to there

Recent Articles

Active Scans Target Vulnerable Cisco Routers for Remote Code-Execution
Threatpost • Tara Seals • 28 Jan 2019

UPDATE
Malicious scanning activity targeting Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers is underway, with a swell of opportunistic probes looking for vulnerable devices ramping up since Friday.
According to Bad Packets Report’s honeypot data, cyberattackers are targeting a pair of just-patched vulnerabilities that allow remote unauthenticated information disclosure (CVE-2019-1653) leading to remote code-execution (CVE-2019-1652) on the routers. There are more...

Miscreants sweep internet for unpatched Cisco kit, fears over bugged Chinese parts, Roger Stone nabbed...
The Register • Shaun Nichols in San Francisco • 26 Jan 2019

...PHP's PEAR sabotaged for months, and more from the world of infosec

Roundup This week we saw Hadoop hacks, Exchange exploits, and Deadpool besting scammers.
Here's some more computer security news to round off your week...
Earlier this week, Cisco cleaned up a series of security flaws in its routers. Now, admins are being urged to apply those fixes as soon as possible now that exploits for two flaws in particular are public.
A security dev going by the name of David Davidson has provided proof-of-concept code that leverages a data-disclosure vu...

SD-WAN admin? Your number came up in Cisco's latest bug list
The Register • Richard Chirgwin • 24 Jan 2019

Webex, security, IoT systems also need patches

Cisco's irregular patch cycle has come round again and this time the focus is on the company's SD-WAN product.
As well as high-rated bugs in Webex, small business routers and various security products, Switchzilla has disclosed one critical bug in its SD-WAN, and another four vulnerabilities rated high.
That critical rating was assigned to CVE-2019-1651, a bug in the SD-WAN's virtual container, vContainer, the VM which hosts the SD-WAN controllers. If an attacker sends a malicious fi...

References