Cisco: All these routers have the same embedded crypto keys, so update firmware
Security researchers have found that the firmware for several Cisco small-business routers contains numerous security issues.
Networking
The problems include hardcoded password hashes as well as static X.509 certificates with the corresponding public-private key pairs and one static Secure Shell (SSH) host key.
The static keys are embedded in the routers firmware and are used for providing HTTPS and SSH access to the affected routers. The issue means all devices with the affected firmware use the same keys.
Cisco admits it was an oversight by its developers, but downplayed the seriousness of the error because the certificates and keys were never intended for shipping products.
SEE: 10 tips for new cybersecurity pros (free PDF)
Researchers Stefan Viehböck and Thomas Weber of SEC Consult/IoT Inspector found the static certificates and keys in the Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers.
Cisco, in an informational advisory, explains that the researchers found two static X.509 certificates with the corresponding public-private key pairs and one static SSH host key in the devices' firmware.
The certificates were used for testing purposes during the development of the firmware and were never used for live functionality in any shipping version of the products, according to Cisco.
"The inclusion of these certificates and keys in shipping software was an oversight by the development team for these routers," Cisco said.
Meanwhile, Cisco explains that the presence of the static SSH host key was due to the Cisco-owned Tail-f Netconf ConfD package that's included in the firmware. But Cisco says key-based SSH authentication isn't supported in any shipping version of this firmware.
The researchers also found a hardcoded password hash for the root user in the firmware.
"An attacker with access to the base operating system on an affected device could exploit this issue to obtain root-level privileges. However, Cisco is not currently aware of a way to access the base operating system on these routers," Cisco notes.
Cisco says it removed the static certificates and keys and the hardcoded user account in firmware releases 1.5.1.05 and later for the Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers.
The two researchers found similar issues in the firmware for Cisco Small Business RV series routers RV016, RV042, RV042G, and RV082 Routers.
In this case, there was an X.509 certificate with a corresponding public/private key pair that was issued to Taiwanese networking equipment maker QNO Technology.
Again, Cisco says it was an oversight by the team that developed these routers and that the keys were never used for live functionality in shipping products, which instead used dynamically created certificates.
Cisco fixed this issue in firmware release 4.2.3.10, which also includes a fix for a newly disclosed high-severity bug affecting the RV016, RV042, RV042G, and RV082 routers.
This bug did warrant the tracking identifier CVE-2019-15271 and has a severity score of 8.8 out of 10. A bug in the web interface of the routers could allow a remote attacker who has authenticated to execute malicious commands with root privileges.
SEE: Cisco unifies its collaboration tools on one platform
Admins must update the firmware since there is no workaround. However, Cisco advises that admins can disable the remote management feature if it's not required for business. This disables the web interface.
Cisco has also disclosed a command-injection vulnerability affecting the RV016, RV042, RV042G, RV082, RV320, and RV325 small-business routers.
It has also just detailed high-severity flaws affecting the Cisco Web Security Appliance, Cisco Wireless LAN Controller, the Webex Network Recording Player and Webex Player, the TelePresence Collaboration Endpoint, and the Cisco Prime Infrastructure and Evolved Programmable Network Manager.
Details about these bugs and fixes can be found on Cisco's security advisories page.