By BECKY RUTHERFORDLos Alamos
Cisco Small Business Router Vulnerabilities
Security researchers at SEC Consult/IoT Inspector found numerous security issues for the Cisco RV320 and RV325 Dual Gigabit WAN VPN router series.
Issues included hardcoded password hashes and static X.509 certificates with corresponding public/private key pairs and one static Secure Shell (SSH) host key.
Cisco stated that this was an oversight by their developers, and the certificates and keys were never intended to be shipped with the products. The certificates were used for testing purposes during the development of the firmware and were not intended for live functionality.
Why is this bad? According to Cisco, “An attacker with access to the base operating system on an affected device could exploit this issue to obtain root-level privileges. However, Cisco is not currently aware of a way to access the base operating system on these routers,”
The flaw was assigned the tracking identifier of CVE-2019-15271, and could allow a remote attacker who has authenticated to the system to execute malicious commands with root (admin) privileges. A hacked or compromised router could cause a lot of damage, not just on the router, but to every device running on your network.
What can you do? Cisco fixed this issue in firmware release 4.2.3.10; if you are using the affected router models (RV320 and RV325 Dual Gigabit WAN VPN) you will need to update the firmware as there is no workaround. If you don’t need the remote management feature on these routers, you can also disable it.
Cisco disclosed several other high-severity flaws affecting other small-business routers. More information can be found on their security advisory page:
CISA Releases Cyber Essentials for Small Businesses/Government Agencies
The US Department of Homeland Security Cybersecurity and Infrastructure Agency (CISA) released guidance on Cyber Essentials for small businesses this week. This guidance is meant to serve as a starting point for small businesses and other government agencies to better understand and learn to remediate cybersecurity risks. This resource offers actionable, basic steps, and resources that can be used to improve cybersecurity posture.
Cyber Essentials includes five different elements:
- Yourself
- Your Staff
- Your Systems
- Your Surroundings
- Your Data
Each section offers guidance for leaders as well as actionable items that you can take to help protect your small business or government agency. The guidance is consistent with the NIST Cybersecurity Framework and other standards.
CISA details actions that organizations/governments can take even before they adopt the Cyber Essentials:
- Backup Data: Employ a backup solution that automatically and continuously backs up critical data and system configurations.
- Multi-Factor Authentication: Require multi-factor authentication (MFA) for accessing your systems whenever possible. MFA should be required of all users, but start with privileged, administrative, and remote access users.
- Patch and Update Management: Enable automatic updates whenever possible. Replace unsupported operating systems, applications, and hardware. Test and deploy patches quickly.
Check out Cyber Essentials here: https://www.cisa.gov/cyber-essentials
Editor’s note: Becky Rutherford works in information technology at Los Alamos National Laboratory.
