07 November 2019
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4173 Cisco Small Business RV016, RV042, RV042G, and RV082 Routers Issues 7 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Small Business RV016, RV042, RV042G, and RV082 Routers Publisher: Cisco Systems Operating System: Network Appliance Impact/Access: Root Compromise -- Existing Account Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-rv0x2 - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Small Business RV016, RV042, RV042G, and RV082 Routers Issues Priority: Informational Advisory ID: cisco-sa-20191106-rv0x2 First Published: 2019 November 6 16:00 GMT Version 1.0: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvq34370CSCvq34376 CWE-798 Summary o Cisco firmware for certain Cisco Small Business RV Series Routers is affected by the following issues: Certificate and key issued to QNO Technology Hardcoded password hashes Multiple vulnerabilities in third-party software (TPS) components Certificate and Key Issued to QNO Technology An X.509 certificate with a corresponding public/private key pair was initially found in Cisco RV042 Dual WAN VPN Router firmware. This certificate is issued to third-party entity QNO Technology. The certificate and keys in question are part of the firmware for the following Cisco products: RV016 Multi-WAN VPN Router RV042 Dual WAN VPN Router RV042G Dual Gigabit WAN VPN Router RV082 Dual WAN VPN Router The certificate and keys were used for testing during the development of the firmware; they were never used for live functionality in any shipping version of the product. All shipping versions of the firmware for the affected products use dynamically created certificates instead. The inclusion of this certificate and keys in shipping software was an oversight by the development team for these routers. Cisco bug ID: CSCvq34370 Hardcoded Password Hashes The /etc/shadow file included in Cisco firmware for the following Cisco products contains hardcoded password hashes for the users root , cisco , and lldpd . RV016 Multi-WAN VPN Router RV042 Dual WAN VPN Router RV042G Dual Gigabit WAN VPN Router RV082 Dual WAN VPN Router The /etc/shadow file is not consulted during user authentication by the firmware. Instead, a dedicated alternate user database is used to authenticate users who log in to the web-based management interface of the affected routers. An attacker with access to the base operating system on an affected device could exploit this issue to obtain elevated privileges at the level of the root , cisco , or lldpd user. However, Cisco is not currently aware of a way to access the base operating system on these routers. Cisco bug ID: CSCvq34376 Multiple Vulnerabilities in Third-Party Software Components Third-party software (TPS) components in the firmware for the following products contain vulnerabilities: RV016 Multi-WAN VPN Router RV042 Dual WAN VPN Router RV042G Dual Gigabit WAN VPN Router RV082 Dual WAN VPN Router Cisco will handle these vulnerabilities by using the regular Cisco process for TPS vulnerabilities in accordance with the Cisco Security Vulnerability Policy . For information about known TPS vulnerabilities that affect the firmware for these routers, consult the Cisco Bug Search Tool . Affected Products o These issues affect the following Cisco Small Business RV Series Routers when they are running a firmware release earlier than 184.108.40.206: RV016 Multi-WAN VPN Router ^ 1 RV042 Dual WAN VPN Router RV042G Dual Gigabit WAN VPN Router RV082 Dual WAN VPN Router ^ 1 1. The Cisco RV016 Multi-WAN VPN Router and RV082 Dual WAN VPN Router have reached the end of software maintenance. Products Confirmed Not Affected Only products listed in the Affected Products section of this advisory are known to be affected by these issues. Updated Firmware Cisco removed the static certificates and keys as well as the hardcoded password hashes in firmware releases 220.127.116.11 and later for the Cisco RV042 Dual WAN VPN Router and RV042G Dual Gigabit WAN VPN Router. Customers can download the firmware from the Software Center on Cisco.com by doing the following: Click Browse all. Choose Routers > Small Business Routers > Small Business RV Series Routers. Choose a specific product from the right pane of the product selector. Click Small Business Router Firmware. Source o Cisco would like to thank security researchers Stefan Viehbock and Thomas Weber of SEC Consult/IoT Inspector for reporting these issues. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20191106-rv0x2 Revision History o +---------+-------------------------+---------+--------+------------------+ | Version | Description | Section | Status | Date | +---------+-------------------------+---------+--------+------------------+ | 1.0 | Initial public release. | - | Final | 2019-November-06 | +---------+-------------------------+---------+--------+------------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXcN5XmaOgq3Tt24GAQhhfw/9GAc5RbLNQbUcp9rhZjkF+GXQpNpoEqev xMeaKUpDijQGcKQ6TXlreTruRmvFLwB2C/VkK56jXiY+zP08785ixu07nOtyTV26 ZBGMHvQ9OYFoEVqfY6SainXtyIsi22ROUiZr4vxjIkj1mXtxpRt82oG9FRvQ7s/q 0yVbWKU1uYysKHYB2cWmI6+MJuULe2omjMxjBUMWUMJ2f8wb7ZU97N3kiyd3YDIo SFv4mXe29lELztNNi/q7EJ63sATEBK0QKp/YIhGeNlo5F8MWs4rW0zW8KoECE9Ve Vl4Hjm9WEfx6S+fEMRoIqNXRvSYk1eIEr9cK7gQc2yT7lXKR5Z47eDRCLiniTc5b Aj07GeOXr+XWlZtDfI+Rs86mx13o5JJKki6GrxXBJuAKEnAU+MzxPtdawY9Ash+q uvLpVb30T8/XD2N/IXsCe6WzdZv/fBeoI/ZuXoLFxnwk18nL9uQf396T2PrNEMKn b7Nfw/8B0LTCi86iEQ/3ZrwYKW79NqKltijk94o6jMALpkC0k7wavZGer7YUpcAD xiO7DxwuouC4FtXe01K8zU8P07b7WnvnoA3X6jJOSVorTbwyRuCEPKOpx3bmWJbe 7LROi4LQutwh563j/wZKFwcXHC9fU6qVi2mcU6PtErWTz9u0+xEgvkp44g49biv0 lRwOyY/858Y= =1tvW -----END PGP SIGNATURE-----