-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3369
        Multiple Issues in Cisco Small Business RV160, 260, and 340
                            Series VPN Routers
                             5 September 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Small Business RV160, 260, and 340 Series VPN Routers
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Root Compromise        -- Existing Account   
                   Access Privileged Data -- Existing Account   
                   Reduced Security       -- Unknown/Unspecified
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190904-sb-vpnrouter

- --------------------------BEGIN INCLUDED TEXT--------------------

Multiple Issues in Cisco Small Business RV160, 260, and 340 Series VPN Routers

Priority:        Informational

Advisory ID:     cisco-sa-20190904-sb-vpnrouter

First Published: 2019 September 4 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds available

Summary

  o SEC Consult, a consulting firm for the areas of cyber and application
    security, contacted the Cisco Product Security Incident Response Team
    (PSIRT) to report the following issues found in firmware images for Cisco
    RV340 Dual WAN Gigabit VPN Routers:

       Undocumented user accounts
       Hardcoded password hashes
       Unneeded software packages
       Multiple vulnerabilities in third-party software (TPS) components

    Cisco PSIRT investigated each issue, and the following are the
    investigation results:

    Undocumented User Accounts

    An attacker with access to the base operating system of the Cisco Small
    Business RV160, 260, and 340 Series VPN Router software may view
    undocumented user accounts on an affected device. These accounts include
    debug-admin and root accounts. Cisco has removed these accounts from the
    Cisco Small Business RV160, 260, and 340 Series VPN Routers software
    starting with the releases listed later in this advisory.

    Hardcoded Password Hashes

    Cisco Small Business RV160, 260, and 340 Series VPN Router firmware has
    hardcoded password hashes for the users root , debug-adm in , cisco, admin,
    and guest . An attacker with access to the base operating system of an
    affected device could attempt to exploit this issue to elevate privileges
    to these users.

    Unneeded Software Packages

    Cisco Small Business RV160, 260, and 340 Series VPN Routers contain GNU
    Debugger and tcpdump software packages. The tcpdump package will remain on
    future software releases for Cisco RV340 Series Router software, but Cisco
    has removed the tcpdump package in the Cisco RV160 and RV260 Series Router
    software starting with the releases listed later in this advisory. Cisco
    has removed the GNU Debugger package from the Cisco RV160, 260, and 340
    Series Router software starting with the releases listed later in this
    advisory.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190904-sb-vpnrouter

Affected Products

  o The issues described in this advisory affect the following Cisco products
    when they are running the following firmware releases:

       RV160 Series VPN Routers: 1.0.00.15 and earlier
       RV260 Series VPN Routers: 1.0.00.15 and earlier
       RV340 Series Dual WAN Gigabit VPN Routers: 1.0.02.16 and earlier

    Products Confirmed Not Affected

    Only products listed in the Affected Products section of this advisory are
    known to be affected by these issues.

    Updated Software

    Cisco has removed the undocumented user accounts and unneeded software
    packages in the following software releases:

                Cisco Product                 First Updated Release for This
                                                         Product
    RV160 Series VPN Routers               1.0.00.16
    RV260 Series VPN Routers               1.0.00.16
    RV340 Series Dual WAN Gigabit VPN      1.0.03.16 ^1
    Routers

    1. The tcpdump package will remain in the RV340 Series software.

    Future software releases will replace the default password hashes with
    hashed, randomly generated passwords.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the issues that are described
    in this advisory.

Source

  o Cisco would like to thank security researchers Stefan Viehbock and Thomas
    Weber of SEC Consult/IoT Inspector for reporting these issues.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190904-sb-vpnrouter

Revision History

  o +---------+------------------------+---------+--------+-------------------+
    | Version |      Description       | Section | Status |       Date        |
    +---------+------------------------+---------+--------+-------------------+
    | 1.0     | Initial public         | -       | Final  | 2019-September-04 |
    |         | release.               |         |        |                   |
    +---------+------------------------+---------+--------+-------------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXXBbs2aOgq3Tt24GAQgFDA/+JMhwAK5vZEdWahgT0yRvnQ7NqGjfVd6M
E9Oooe/pG3+pNDTBVzPv37ZMiOMaGF6xXp+kz5NyAlDqneQIlXefcdBrdMgEUAlA
pdglkyGecmqJ5oCdAZphhigAoXNdp+sfSVyQE0Y+URrZ2P8ecsUJAi2MK+B3arFy
sHLrp6DuB9UHbObjA6LgUABBv87Shkh0ouKZOxhBw4aukxd0KIHKZTaCn/W7Zvsx
s1gjtMFh87RgNndlG+60S3n58bJh1XDisO6V6gf8qAeslEcQYGw0DaFez3m1ntaa
nmdik38bOw/kU8W4EUWVuNkNbz3yN3LtT4i4pFF53GhD74CS0Ok5qBNH0bUrRtDO
L/8mhmyIGfIEHSUIzIW1km8Qd+FrubrEMDw7/fmW1M+5+vBSoJp46Jh9VDhyc/4p
7+qjufhE3sm0dSH1NUcB3Sih66TIYGSjgRRKQ+QQrEe8mG/YCzVmCyU+wdrPd59U
b9GXmYVCIKNLk5ASAS8yjciiA4dFKz1WQoewDw8fjVA/7TXVC+6MzexkfnKe6EaT
9W3jDRblm9usCuqgpYJC46wrob78Jwt3vETfKegKQ+18S+4rcqi1cSwMKK+5qSEk
86vUBJ6DOzySS2isyWfpnlYq6AnFkJA/mqUzCFCeu+mk6uN5iZ/QEnHsrasHOtxX
lPjWVbd4C88=
=aR8w
-----END PGP SIGNATURE-----