Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3369 Multiple Issues in Cisco Small Business RV160, 260, and 340 Series VPN Routers 5 September 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Small Business RV160, 260, and 340 Series VPN Routers Publisher: Cisco Systems Operating System: Cisco Impact/Access: Root Compromise -- Existing Account Access Privileged Data -- Existing Account Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190904-sb-vpnrouter - --------------------------BEGIN INCLUDED TEXT-------------------- Multiple Issues in Cisco Small Business RV160, 260, and 340 Series VPN Routers Priority: Informational Advisory ID: cisco-sa-20190904-sb-vpnrouter First Published: 2019 September 4 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Summary o SEC Consult, a consulting firm for the areas of cyber and application security, contacted the Cisco Product Security Incident Response Team (PSIRT) to report the following issues found in firmware images for Cisco RV340 Dual WAN Gigabit VPN Routers: Undocumented user accounts Hardcoded password hashes Unneeded software packages Multiple vulnerabilities in third-party software (TPS) components Cisco PSIRT investigated each issue, and the following are the investigation results: Undocumented User Accounts An attacker with access to the base operating system of the Cisco Small Business RV160, 260, and 340 Series VPN Router software may view undocumented user accounts on an affected device. These accounts include debug-admin and root accounts. Cisco has removed these accounts from the Cisco Small Business RV160, 260, and 340 Series VPN Routers software starting with the releases listed later in this advisory. Hardcoded Password Hashes Cisco Small Business RV160, 260, and 340 Series VPN Router firmware has hardcoded password hashes for the users root , debug-adm in , cisco, admin, and guest . An attacker with access to the base operating system of an affected device could attempt to exploit this issue to elevate privileges to these users. Unneeded Software Packages Cisco Small Business RV160, 260, and 340 Series VPN Routers contain GNU Debugger and tcpdump software packages. The tcpdump package will remain on future software releases for Cisco RV340 Series Router software, but Cisco has removed the tcpdump package in the Cisco RV160 and RV260 Series Router software starting with the releases listed later in this advisory. Cisco has removed the GNU Debugger package from the Cisco RV160, 260, and 340 Series Router software starting with the releases listed later in this advisory. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190904-sb-vpnrouter Affected Products o The issues described in this advisory affect the following Cisco products when they are running the following firmware releases: RV160 Series VPN Routers: 1.0.00.15 and earlier RV260 Series VPN Routers: 1.0.00.15 and earlier RV340 Series Dual WAN Gigabit VPN Routers: 1.0.02.16 and earlier Products Confirmed Not Affected Only products listed in the Affected Products section of this advisory are known to be affected by these issues. Updated Software Cisco has removed the undocumented user accounts and unneeded software packages in the following software releases: Cisco Product First Updated Release for This Product RV160 Series VPN Routers 1.0.00.16 RV260 Series VPN Routers 1.0.00.16 RV340 Series Dual WAN Gigabit VPN 1.0.03.16 ^1 Routers 1. The tcpdump package will remain in the RV340 Series software. Future software releases will replace the default password hashes with hashed, randomly generated passwords. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the issues that are described in this advisory. Source o Cisco would like to thank security researchers Stefan Viehbock and Thomas Weber of SEC Consult/IoT Inspector for reporting these issues. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190904-sb-vpnrouter Revision History o +---------+------------------------+---------+--------+-------------------+ | Version | Description | Section | Status | Date | +---------+------------------------+---------+--------+-------------------+ | 1.0 | Initial public | - | Final | 2019-September-04 | | | release. | | | | +---------+------------------------+---------+--------+-------------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXXBbs2aOgq3Tt24GAQgFDA/+JMhwAK5vZEdWahgT0yRvnQ7NqGjfVd6M E9Oooe/pG3+pNDTBVzPv37ZMiOMaGF6xXp+kz5NyAlDqneQIlXefcdBrdMgEUAlA pdglkyGecmqJ5oCdAZphhigAoXNdp+sfSVyQE0Y+URrZ2P8ecsUJAi2MK+B3arFy sHLrp6DuB9UHbObjA6LgUABBv87Shkh0ouKZOxhBw4aukxd0KIHKZTaCn/W7Zvsx s1gjtMFh87RgNndlG+60S3n58bJh1XDisO6V6gf8qAeslEcQYGw0DaFez3m1ntaa nmdik38bOw/kU8W4EUWVuNkNbz3yN3LtT4i4pFF53GhD74CS0Ok5qBNH0bUrRtDO L/8mhmyIGfIEHSUIzIW1km8Qd+FrubrEMDw7/fmW1M+5+vBSoJp46Jh9VDhyc/4p 7+qjufhE3sm0dSH1NUcB3Sih66TIYGSjgRRKQ+QQrEe8mG/YCzVmCyU+wdrPd59U b9GXmYVCIKNLk5ASAS8yjciiA4dFKz1WQoewDw8fjVA/7TXVC+6MzexkfnKe6EaT 9W3jDRblm9usCuqgpYJC46wrob78Jwt3vETfKegKQ+18S+4rcqi1cSwMKK+5qSEk 86vUBJ6DOzySS2isyWfpnlYq6AnFkJA/mqUzCFCeu+mk6uN5iZ/QEnHsrasHOtxX lPjWVbd4C88= =aR8w -----END PGP SIGNATURE-----