Researchers have noted numerous security issues in multiple Cisco Small Business Routers. Since the vendors have now fixed the flaws, users must quickly update their devices to the latest firmware.
Cisco Small Business Routers Security Issues
As confirmed by Cisco in an advisory, Cisco Small Business Routers exhibited numerous security issues. Cisco came to know of these issues via reports from security researchers who found the flaws.
Specifically, three major security glitches were discovered in the Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers firmware.
One of these problems was the presence of static certificates and keys. According to the advisory,
Two static X.509 certificates with the corresponding public/private key pairs and one static Secure Shell (SSH) host key were found in the firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers.
Though, all three certificates only served the intended testing purposes. The developers inadvertently shipped these certificates with the firmware.
The other major vulnerability in these routers was the presence of hardcoded password hashes.
The /etc/shadow file included in the firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers has a hardcoded password hash for the root user.
Anyone with access to the base operating system could easily gain root access on the target device by exploiting this flaw.
Cisco also disclosed similar issues affecting the RV016, RV042, RV042G, and RV082 Routers in another informational advisory.
Cisco Patched The Flaws
Apart from the two security issues discussed above, Cisco also addressed numerous vulnerabilities affecting Third-party software (TPS) components. These vulnerabilities existed in the firmware of all these routers.
With regard to Cisco RV320 and RV325 routers, the firm has fixed the vulnerabilities and other issues with the firmware version 1.5.1.05.
Whereas, for RV042, and RV042G Routers, Cisco rolled-out the patches with firmware version 220.127.116.11 and later. However, the routers RV016 and RV082 have reached the end of lifetime.
Alongside patching the flaws, Cisco also acknowledged the researchers Stefan Viehböck and Thomas Weber of SEC Consult/IoT Inspector for reporting the bugs.
Let us know your thoughts in the comments.