5
CVSSv2

CVE-2019-1653

Published: 24/01/2019 Updated: 08/04/2019
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 552
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Summary

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote malicious user to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the malicious user to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.

Vulnerability Trend

Affected Products

Vendor Product Versions
CiscoRv320 Firmware1.4.2.15, 1.4.2.17
CiscoRv325 Firmware1.4.2.15, 1.4.2.17

Vendor Advisories

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information The vulnerability is due to improper access controls for URLs An attacker could exploit this vulnerability by connecting to an affected device ...

Exploits

# Exploit Title: 6coRV Exploit # Date: 01-26-2018 # Exploit Author: Harom Ramos [Horus] # Tested on: Cisco RV300/RV320 # CVE : CVE-2019-1653 import requests from requestspackagesurllib3exceptions import InsecureRequestWarning from fake_useragent import UserAgent def random_headers(): return dict({'user-agent': UserAgent()random}) def req ...
## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::CmdStager def init ...

Mailing Lists

RedTeam Pentesting discovered that the configuration of a Cisco RV320 router can still be exported without authentication via the device's web interface due to an inadequate fix by the vendor ...
Cisco RV300 and RV320 suffer from an information disclosure vulnerability ...
RedTeam Pentesting discovered that the configuration of a Cisco RV320 router may be exported without authentication through the device's web interface Affected versions include 14215 and 14217 ...
RedTeam Pentesting discovered that the Cisco RV320 router still exposes sensitive diagnostic data without authentication via the device's web interface due to an inadequate fix by the vendor ...
RedTeam Pentesting discovered that the Cisco RV320 router exposes sensitive diagnostic data without authentication through the device's web interface Versions affected include 14215 and 14217 ...
Advisory: Cisco RV320 Unauthenticated Configuration Export RedTeam Pentesting discovered that the configuration of a Cisco RV320 router can still be exported without authentication via the device's web interface due to an inadequate fix by the vendor Details ======= Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others Affected Ver ...
Advisory: Cisco RV320 Unauthenticated Diagnostic Data Retrieval RedTeam Pentesting discovered that the Cisco RV320 router still exposes sensitive diagnostic data without authentication via the device's web interface due to an inadequate fix by the vendor Details ======= Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others Affected ...
Advisory: Cisco RV320 Unauthenticated Diagnostic Data Retrieval RedTeam Pentesting discovered that the Cisco RV320 router still exposes sensitive diagnostic data without authentication via the device's web interface due to an inadequate fix by the vendor Details ======= Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others Affected ...
Advisory: Cisco RV320 Unauthenticated Diagnostic Data Retrieval RedTeam Pentesting discovered that the Cisco RV320 router exposes sensitive diagnostic data without authentication through the device's web interface Details ======= Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others Affected Versions: 14215, 14217 Fixed Versi ...
Advisory: Cisco RV320 Unauthenticated Configuration Export RedTeam Pentesting discovered that the configuration of a Cisco RV320 router may be exported without authentication through the device's web interface Details ======= Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others Affected Versions: 14215, 14217 Fixed Versions: ...
Advisory: Cisco RV320 Unauthenticated Configuration Export RedTeam Pentesting discovered that the configuration of a Cisco RV320 router may be exported without authentication through the device's web interface Details ======= Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others Affected Versions: 14215, 14217 Fixed Versions: ...
Advisory: Cisco RV320 Unauthenticated Diagnostic Data Retrieval RedTeam Pentesting discovered that the Cisco RV320 router exposes sensitive diagnostic data without authentication through the device's web interface Details ======= Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others Affected Versions: 14215, 14217 Fixed Versi ...
Advisory: Cisco RV320 Unauthenticated Configuration Export RedTeam Pentesting discovered that the configuration of a Cisco RV320 router can still be exported without authentication via the device's web interface due to an inadequate fix by the vendor Details ======= Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others Affected Ver ...
This Metasploit module combines an information disclosure (CVE-2019-1653) and a command injection vulnerability (CVE-2019-1652) together to gain unauthenticated remote code execution on Cisco RV320 and RV325 small business routers Can be exploited via the WAN interface of the router Either via HTTPS on port 443 or HTTP on port 8007 on some older ...

Metasploit Modules

Cisco RV320/RV326 Configuration Disclosure

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.

msf > use auxiliary/gather/cisco_rv320_config
      msf auxiliary(cisco_rv320_config) > show actions
            ...actions...
      msf auxiliary(cisco_rv320_config) > set ACTION <action-name>
      msf auxiliary(cisco_rv320_config) > show options
            ...show and set options...
      msf auxiliary(cisco_rv320_config) > run

Github Repositories

CVE-2019-1653 NSE script to scan for Cisco routers vulnerable to CVE-2019-1653 Usage: nmap --script cve_2019_1653 -p 443 &lt;host&gt;

CiscoSpill Just a PoC tool to extract password using CVE-2019-1653 CVE-2019-1653 A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information The vulnerability is due to improper access controls for URLs An attacker could exploit thi

CiscoSpill Just a PoC tool to extract password using CVE-2019-1653 CVE-2019-1653 A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information The vulnerability is due to improper access controls for URLs An attacker could exploit thi

CiscoExploit Cisco Scan (IP/Port/HostName/Boot/Version) wwwcnblogscom/k8gege/p/10679491html CVE-2019-1821 Cisco Prime Infrastructure Remote Code Execution srcinciteio/blog/2019/05/17/panic-at-the-cisco-unauthenticated-rce-in-prime-infrastructurehtml Cisco SNMP RCE githubcom/artkond/cisco-snmp-rce CVE-2019-1652 /CVE-2019-1653 Exploits For Dumping C

CiscoRV320Dump CVE-2019-1653/CVE-2019-1652 Exploits For Dumping Cisco RV320 Configurations and getting RCE Implementations of the CVE-2019-1652 and CVE-2019-1653 exploits disclosed by Red Team Pentesting GmbH I only tested these on an RV320, but according to the Cisco advisory, the RV325 is also vulnerable The following Shodan queries appear to find them, if you are curious a

Recent Articles

Cisco Finally Patches Routers Bugs As New Unpatched Flaws Surface
Threatpost • Tom Spring • 05 Apr 2019

After a botched first attempt at patching two high-severity bugs affecting its RV320 and RV325 routers, Cisco Systems is out with fresh new fixes for both devices. However, Cisco isn’t out of the woods yet. On Thursday, it also reported two new medium-severity router bugs impacting the same router models – and with no reported fixes or workarounds.
The good news for Cisco was it said it finally successfully patched its RV320 and RV325 WAN VPN routers after first bungling the fix. Last ...

Cisco Botches Fix for RV320, RV325 Routers, Just Blocks 'curl' User Agent
BleepingComputer • Ionut Ilascu • 28 Mar 2019

Cisco's RV320 and RV325 router models for small offices and small businesses remain vulnerable to two high-severity flaws two months after the vendor announced the availability of patches. The fixes failed their purpose and attackers can still chain the bugs to take control of the devices.
Both glitches are in the web management interface of the routers and allow attackers to retrieve sensitive information (CVE-2019-1652) and run commands remotely with admin privileges (CVE-2019-1653).

Cisco Releases Flood of Patches for IOS XE, But Leaves Some Routers Open to Attack
Threatpost • Tom Spring • 27 Mar 2019

UDPATE
Cisco Systems issued 24 patches Wednesday tied to vulnerabilities in its IOS XE operating system and warned customers that two small business  routers (RV320 and RV325) are vulnerable to attack and that no patches are available for either. A total of 19 of the bugs were rated high severity by Cisco, with the others rated medium.
The two router vulnerabilities are rated high and are part of Cisco’s Dual Gigabit WAN VPN RV320 and RV325 line of small business routers. Both rou...

Active Scans Target Vulnerable Cisco Routers for Remote Code-Execution
Threatpost • Tara Seals • 28 Jan 2019

UPDATE
Malicious scanning activity targeting Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers is underway, with a swell of opportunistic probes looking for vulnerable devices ramping up since Friday.
According to Bad Packets Report’s honeypot data, cyberattackers are targeting a pair of just-patched vulnerabilities that allow remote unauthenticated information disclosure (CVE-2019-1653) leading to remote code-execution (CVE-2019-1652) on the routers. There are more...

Hackers Targeting Cisco RV320/RV325 Routers Using New Exploits
BleepingComputer • Ionut Ilascu • 27 Jan 2019

Disclosure of proof-of-exploit code for security bugs in Cisco routers for small businesses prompted hackers to scan for vulnerable devices in an attempt to take full control of them.
Cisco this week announced updates for router models RV320 and RV325 that fix a command injection (CVE-2019-1652) and an information disclosure (CVE-2019-1653) vulnerability; both of them are in the routers' web management interface.
Exploiting the former requires authentication and admin privileges to a...

Miscreants sweep internet for unpatched Cisco kit, fears over bugged Chinese parts, Roger Stone nabbed...
The Register • Shaun Nichols in San Francisco • 26 Jan 2019

...PHP's PEAR sabotaged for months, and more from the world of infosec

Roundup This week we saw Hadoop hacks, Exchange exploits, and Deadpool besting scammers.
Here's some more computer security news to round off your week...
Earlier this week, Cisco cleaned up a series of security flaws in its routers. Now, admins are being urged to apply those fixes as soon as possible now that exploits for two flaws in particular are public.
A security dev going by the name of David Davidson has provided proof-of-concept code that leverages a data-disclosure vu...

SD-WAN admin? Your number came up in Cisco's latest bug list
The Register • Richard Chirgwin • 24 Jan 2019

Webex, security, IoT systems also need patches

Cisco's irregular patch cycle has come round again and this time the focus is on the company's SD-WAN product.
As well as high-rated bugs in Webex, small business routers and various security products, Switchzilla has disclosed one critical bug in its SD-WAN, and another four vulnerabilities rated high.
That critical rating was assigned to CVE-2019-1651, a bug in the SD-WAN's virtual container, vContainer, the VM which hosts the SD-WAN controllers. If an attacker sends a malicious fi...