Cisco Patches Fail to Shore Up Flaws in Small Business Routers
Cisco was originally notified in September 2018 by RedTeam Pentesting security experts of multiple vulnerabilities affecting SD-WAN and small business routers, RV320 and RV325. Cisco delivered patches in January 2019; however, RedTeam found this initial fix to be incomplete and notified Cisco again. These vulnerabilities allow attackers to “execute arbitrary operating system commands (CVE-2019-1652) as well as gather sensitive configuration and diagnostic information that could be used to compromise the device and attached networks (CVE-2019-1653).” Cisco confirmed they will have a fix for these vulnerabilities in RV320 and RV325 Dual Gigabit WAN VPN Routers Firmware by the middle of April 2019. The NJCCIC recommends users patch systems when updates become available and restrict unauthorized users from gaining access to the routers’ web interface or the devices’ web server to mitigate the possibility of exploitation. We also advise users to disable the Remote Management feature to reduce exposure, and change both administrative and WiFi credentials. For more details, please see Cisco’s Security Advisory.