-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4173
    Cisco Small Business RV016, RV042, RV042G, and RV082 Routers Issues
                              7 November 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Small Business RV016, RV042, RV042G, and RV082 Routers
Publisher:         Cisco Systems
Operating System:  Network Appliance
Impact/Access:     Root Compromise  -- Existing Account   
                   Reduced Security -- Unknown/Unspecified
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-rv0x2

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Small Business RV016, RV042, RV042G, and RV082 Routers Issues

Priority:        Informational

Advisory ID:     cisco-sa-20191106-rv0x2

First Published: 2019 November 6 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds availableCisco Bug IDs:   CSCvq34370CSCvq34376

CWE-798

Summary

  o Cisco firmware for certain Cisco Small Business RV Series Routers is
    affected by the following issues:

       Certificate and key issued to QNO Technology
       Hardcoded password hashes
       Multiple vulnerabilities in third-party software (TPS) components

    Certificate and Key Issued to QNO Technology

    An X.509 certificate with a corresponding public/private key pair was
    initially found in Cisco RV042 Dual WAN VPN Router firmware. This
    certificate is issued to third-party entity QNO Technology.

    The certificate and keys in question are part of the firmware for the
    following Cisco products:

       RV016 Multi-WAN VPN Router
       RV042 Dual WAN VPN Router
       RV042G Dual Gigabit WAN VPN Router
       RV082 Dual WAN VPN Router

    The certificate and keys were used for testing during the development of
    the firmware; they were never used for live functionality in any shipping
    version of the product. All shipping versions of the firmware for the
    affected products use dynamically created certificates instead.

    The inclusion of this certificate and keys in shipping software was an
    oversight by the development team for these routers.

    Cisco bug ID: CSCvq34370

    Hardcoded Password Hashes

    The /etc/shadow file included in Cisco firmware for the following Cisco
    products contains hardcoded password hashes for the users root , cisco ,
    and lldpd .

       RV016 Multi-WAN VPN Router
       RV042 Dual WAN VPN Router
       RV042G Dual Gigabit WAN VPN Router
       RV082 Dual WAN VPN Router

    The /etc/shadow file is not consulted during user authentication by the
    firmware. Instead, a dedicated alternate user database is used to
    authenticate users who log in to the web-based management interface of the
    affected routers.

    An attacker with access to the base operating system on an affected device
    could exploit this issue to obtain elevated privileges at the level of the
    root , cisco , or lldpd user. However, Cisco is not currently aware of a
    way to access the base operating system on these routers.

    Cisco bug ID: CSCvq34376

    Multiple Vulnerabilities in Third-Party Software Components

    Third-party software (TPS) components in the firmware for the following
    products contain vulnerabilities:

       RV016 Multi-WAN VPN Router
       RV042 Dual WAN VPN Router
       RV042G Dual Gigabit WAN VPN Router
       RV082 Dual WAN VPN Router

    Cisco will handle these vulnerabilities by using the regular Cisco process
    for TPS vulnerabilities in accordance with the Cisco Security Vulnerability
    Policy . For information about known TPS vulnerabilities that affect the
    firmware for these routers, consult the Cisco Bug Search Tool .

Affected Products

  o These issues affect the following Cisco Small Business RV Series Routers
    when they are running a firmware release earlier than 4.2.3.10:

       RV016 Multi-WAN VPN Router ^ 1
       RV042 Dual WAN VPN Router
       RV042G Dual Gigabit WAN VPN Router
       RV082 Dual WAN VPN Router ^ 1

    1. The Cisco RV016 Multi-WAN VPN Router and RV082 Dual WAN VPN Router have
    reached the end of software maintenance.

    Products Confirmed Not Affected

    Only products listed in the Affected Products section of this advisory are
    known to be affected by these issues.

    Updated Firmware

    Cisco removed the static certificates and keys as well as the hardcoded
    password hashes in firmware releases 4.2.3.10 and later for the Cisco RV042
    Dual WAN VPN Router and RV042G Dual Gigabit WAN VPN Router.

    Customers can download the firmware from the Software Center on Cisco.com
    by doing the following:

       Click Browse all.
       Choose Routers > Small Business Routers > Small Business RV Series
        Routers.
       Choose a specific product from the right pane of the product selector.
       Click Small Business Router Firmware.

Source

  o Cisco would like to thank security researchers Stefan Viehbock and Thomas
    Weber of SEC Consult/IoT Inspector for reporting these issues.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20191106-rv0x2

Revision History

  o +---------+-------------------------+---------+--------+------------------+
    | Version |       Description       | Section | Status |       Date       |
    +---------+-------------------------+---------+--------+------------------+
    | 1.0     | Initial public release. | -       | Final  | 2019-November-06 |
    +---------+-------------------------+---------+--------+------------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXcN5XmaOgq3Tt24GAQhhfw/9GAc5RbLNQbUcp9rhZjkF+GXQpNpoEqev
xMeaKUpDijQGcKQ6TXlreTruRmvFLwB2C/VkK56jXiY+zP08785ixu07nOtyTV26
ZBGMHvQ9OYFoEVqfY6SainXtyIsi22ROUiZr4vxjIkj1mXtxpRt82oG9FRvQ7s/q
0yVbWKU1uYysKHYB2cWmI6+MJuULe2omjMxjBUMWUMJ2f8wb7ZU97N3kiyd3YDIo
SFv4mXe29lELztNNi/q7EJ63sATEBK0QKp/YIhGeNlo5F8MWs4rW0zW8KoECE9Ve
Vl4Hjm9WEfx6S+fEMRoIqNXRvSYk1eIEr9cK7gQc2yT7lXKR5Z47eDRCLiniTc5b
Aj07GeOXr+XWlZtDfI+Rs86mx13o5JJKki6GrxXBJuAKEnAU+MzxPtdawY9Ash+q
uvLpVb30T8/XD2N/IXsCe6WzdZv/fBeoI/ZuXoLFxnwk18nL9uQf396T2PrNEMKn
b7Nfw/8B0LTCi86iEQ/3ZrwYKW79NqKltijk94o6jMALpkC0k7wavZGer7YUpcAD
xiO7DxwuouC4FtXe01K8zU8P07b7WnvnoA3X6jJOSVorTbwyRuCEPKOpx3bmWJbe
7LROi4LQutwh563j/wZKFwcXHC9fU6qVi2mcU6PtErWTz9u0+xEgvkp44g49biv0
lRwOyY/858Y=
=1tvW
-----END PGP SIGNATURE-----