Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3369
Multiple Issues in Cisco Small Business RV160, 260, and 340
Series VPN Routers
5 September 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Small Business RV160, 260, and 340 Series VPN Routers
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Root Compromise -- Existing Account
Access Privileged Data -- Existing Account
Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190904-sb-vpnrouter
- --------------------------BEGIN INCLUDED TEXT--------------------
Multiple Issues in Cisco Small Business RV160, 260, and 340 Series VPN Routers
Priority: Informational
Advisory ID: cisco-sa-20190904-sb-vpnrouter
First Published: 2019 September 4 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Summary
o SEC Consult, a consulting firm for the areas of cyber and application
security, contacted the Cisco Product Security Incident Response Team
(PSIRT) to report the following issues found in firmware images for Cisco
RV340 Dual WAN Gigabit VPN Routers:
Undocumented user accounts
Hardcoded password hashes
Unneeded software packages
Multiple vulnerabilities in third-party software (TPS) components
Cisco PSIRT investigated each issue, and the following are the
investigation results:
Undocumented User Accounts
An attacker with access to the base operating system of the Cisco Small
Business RV160, 260, and 340 Series VPN Router software may view
undocumented user accounts on an affected device. These accounts include
debug-admin and root accounts. Cisco has removed these accounts from the
Cisco Small Business RV160, 260, and 340 Series VPN Routers software
starting with the releases listed later in this advisory.
Hardcoded Password Hashes
Cisco Small Business RV160, 260, and 340 Series VPN Router firmware has
hardcoded password hashes for the users root , debug-adm in , cisco, admin,
and guest . An attacker with access to the base operating system of an
affected device could attempt to exploit this issue to elevate privileges
to these users.
Unneeded Software Packages
Cisco Small Business RV160, 260, and 340 Series VPN Routers contain GNU
Debugger and tcpdump software packages. The tcpdump package will remain on
future software releases for Cisco RV340 Series Router software, but Cisco
has removed the tcpdump package in the Cisco RV160 and RV260 Series Router
software starting with the releases listed later in this advisory. Cisco
has removed the GNU Debugger package from the Cisco RV160, 260, and 340
Series Router software starting with the releases listed later in this
advisory.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190904-sb-vpnrouter
Affected Products
o The issues described in this advisory affect the following Cisco products
when they are running the following firmware releases:
RV160 Series VPN Routers: 1.0.00.15 and earlier
RV260 Series VPN Routers: 1.0.00.15 and earlier
RV340 Series Dual WAN Gigabit VPN Routers: 1.0.02.16 and earlier
Products Confirmed Not Affected
Only products listed in the Affected Products section of this advisory are
known to be affected by these issues.
Updated Software
Cisco has removed the undocumented user accounts and unneeded software
packages in the following software releases:
Cisco Product First Updated Release for This
Product
RV160 Series VPN Routers 1.0.00.16
RV260 Series VPN Routers 1.0.00.16
RV340 Series Dual WAN Gigabit VPN 1.0.03.16 ^1
Routers
1. The tcpdump package will remain in the RV340 Series software.
Future software releases will replace the default password hashes with
hashed, randomly generated passwords.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the issues that are described
in this advisory.
Source
o Cisco would like to thank security researchers Stefan Viehbock and Thomas
Weber of SEC Consult/IoT Inspector for reporting these issues.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190904-sb-vpnrouter
Revision History
o +---------+------------------------+---------+--------+-------------------+
| Version | Description | Section | Status | Date |
+---------+------------------------+---------+--------+-------------------+
| 1.0 | Initial public | - | Final | 2019-September-04 |
| | release. | | | |
+---------+------------------------+---------+--------+-------------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXXBbs2aOgq3Tt24GAQgFDA/+JMhwAK5vZEdWahgT0yRvnQ7NqGjfVd6M
E9Oooe/pG3+pNDTBVzPv37ZMiOMaGF6xXp+kz5NyAlDqneQIlXefcdBrdMgEUAlA
pdglkyGecmqJ5oCdAZphhigAoXNdp+sfSVyQE0Y+URrZ2P8ecsUJAi2MK+B3arFy
sHLrp6DuB9UHbObjA6LgUABBv87Shkh0ouKZOxhBw4aukxd0KIHKZTaCn/W7Zvsx
s1gjtMFh87RgNndlG+60S3n58bJh1XDisO6V6gf8qAeslEcQYGw0DaFez3m1ntaa
nmdik38bOw/kU8W4EUWVuNkNbz3yN3LtT4i4pFF53GhD74CS0Ok5qBNH0bUrRtDO
L/8mhmyIGfIEHSUIzIW1km8Qd+FrubrEMDw7/fmW1M+5+vBSoJp46Jh9VDhyc/4p
7+qjufhE3sm0dSH1NUcB3Sih66TIYGSjgRRKQ+QQrEe8mG/YCzVmCyU+wdrPd59U
b9GXmYVCIKNLk5ASAS8yjciiA4dFKz1WQoewDw8fjVA/7TXVC+6MzexkfnKe6EaT
9W3jDRblm9usCuqgpYJC46wrob78Jwt3vETfKegKQ+18S+4rcqi1cSwMKK+5qSEk
86vUBJ6DOzySS2isyWfpnlYq6AnFkJA/mqUzCFCeu+mk6uN5iZ/QEnHsrasHOtxX
lPjWVbd4C88=
=aR8w
-----END PGP SIGNATURE-----