Cisco fails to fix two high-risk flaws in small business routers

The remote-code execution and information disclosure bugs have been unpatched since January

Two critical vulnerabilities in small business routers first flagged months ago have yet to receive adequate fixes despite regular rounds of patching.

A pair of critical bugs in Cisco's RV320 and RV325 Dual Gigabit WAN VPN Routers were issued with initial fixes that were found to be incomplete, the company has admitted.

These failed patches were attempted as part of a wave of fixes issued yesterday, largely to plug gaps in the firm's IOS and IOS XE software.

There were 25 issues fixed in total, six of which were rated 'medium' while 19 were considered high-risk. Among this round of patches were patches for several command injection vulnerabilities and privilege escalation flaws.

"The initial fix for this vulnerability was found to be incomplete," the networking giant said of both bugs. "Cisco is currently working on a complete fix."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Both flaws were first flagged on 23 January this year, but there have been no successful fixes or workarounds identified to date. The company then elaborated on the nature of the bugs two days later.

The first, dubbed CVE-2019-1652, concerns a remote-code execution hole that, if exploited, could allow a remote attacker with admin privileges to execute arbitrary commands on one of the affected routers. The second, CVE-2019-1653, could allow an attacker to retrieve sensitive information such as router configuration or detailed diagnostic information.

The information disclosure flaw is due to improper access controls for URLs, whereby an attacker can connect to an affected device through HTTP or HTTPS and request specific URLs. The remote-code execution vulnerability, meanwhile, can be exploited by sending malicious HTTP POST requests to a router's web-based management interface.

Cyber security expert Graham Cluley told IT Pro the fact both vulnerabilities remain unpatched was troubling news for small business.

"In both of these cases, Cisco thought it had previously fixed the vulnerability in January - but has now found that it had failed to do so properly.

Advertisement - Article continues below

"The bad news for small businesses who might be using these devices is that Cisco doesn't currently have a working patch, and is unable to even suggest a workaround. The potential is therefore there for online criminals to try to exploit the flaws which Cisco itself has rated as high severity.

"Let's hope that Cisco is able to roll out a working firmware update sooner rather than later."

Cisco says it aims to fix the vulnerabilities, which are present in routers running Firmware Release 1.4.2.15 and later, with an updated Firmware version. This is expected to be released by the middle of April 2019.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/security/data-breaches/354611/misconfigured-security-command-exposes-250-million-microsoft-customer
data breaches

Misconfigured security command exposes 250 million Microsoft customer records

23 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/mobile/5g/354634/boris-johnson-accused-of-doing-a-bit-of-a-runner-from-huawei-5g-questions
5G

Boris Johnson accused of doing "a bit of a runner" from Huawei 5G questions

27 Jan 2020