Two flaws remain open to command injection

Two security flaws in a low-end Cisco router are still vulnerable to command injection attacks – despite the networking behemoth having released fixes earlier this year.

Security researchers at RedTeam Pentesting announced yesterday that versions of the Cisco
RV320 Dual Gigabit WAN VPN Router, a tool used mainly by small businesses, remained susceptible to attackers gaining administrative privileges both with and without a password.

The issues had previously been identified as CVE-2019-1652 and CVE-2019-1653 in January, when the Germany-based bug hunters released a proof-of-concept (PoC) detailing the exploits that together could be used to obtain sensitive information and execute arbitrary commands through the product’s web-based certificate generator feature.

Versions 1.4.2.15 through 1.4.2.20 of the software were said to be impacted at the time.

“By providing a specially crafted common name, it was possible to inject shell commands which were subsequently executed on the router as the root user,” said RedTeam Pentesting, writing in a blog post about the vulnerabilities, which they first notified Cisco of in September 2018.

“RedTeam Pentesting discovered that the certificate generator in the patched firmware is still vulnerable,” it added of its more recent findings and “inadequacy” of the fixes released by Cisco.

RedTeam Pentesting found that Cisco had merely thwarted the specific proof of concept by rejecting any tool used by “curl” in order to prevent attackers from getting web authentication details. It hadn’t addressed the underlying problem and only dealt with one possible vector of attack of the many opened up by the vulnerabilities.

“The update adds several filters to handle single quotes in user input,” it said.

“However, these filters can be evaded by specially crafted inputs.”

Cisco released an advisory related to vulnerabilities in its products yesterday, including CVE-2019-1652 and CVE-2019-1653.

The company has admitted that its original patches were problematic, telling The Daily Swig: 

“We are working on a complete fix with the highest priority and thank our customers and our partners for their patience during the resolution of this issue.”