Summary

• Cisco firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers is affected by the following issues:

  • Static certificates and keys
  • Hardcoded password hashes
  • Multiple vulnerabilities in third-party software (TPS) components

  Static Certificates and Keys

  Two static X.509 certificates with the corresponding public/private key pairs and one static Secure Shell (SSH) host key were found in the firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers. One X.509 certificate was created by the OpenSSL Group for testing purposes and the second certificate is a test certificate created by Cisco.

  The X.509 certificates and keys in question are part of the firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers and were used for their intended testing purpose during the development of that firmware They were never used for live functionality in any shipping version of the product. All shipping versions of this firmware use dynamically created certificates instead.

  Cisco bug ID: CSCvq34465

  The static SSH host key is part of the tail-f (now part of Cisco) Netconf ConfD package that is included in the firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers. It was never used for live functionality in any shipping version of the product. Key-based SSH authentication is not supported in any shipping version of this firmware.

  Cisco bug ID: CSCvq34469

  The inclusion of these certificates and keys in shipping software was an oversight by the development team for these routers.

  Hardcoded Password Hashes

  The /etc/shadow file included in the firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers has a hardcoded password hash for the root user.

  The /etc/shadow file is not consulted during user authentication by the firmware. Instead, a dedicated alternate user database is used to authenticate users who log in to either the CLI or the web-based management interface of the affected routers.

  An attacker with access to the base operating system on an affected device could exploit this issue to obtain root-level privileges. However, Cisco is not currently aware of a way to access the base operating system on these routers.

  Cisco bug ID: CSCvq34472

  Multiple Vulnerabilities in Third-Party Software Components

  Third-party software (TPS) components in the firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers contain vulnerabilities. Cisco will handle these vulnerabilities by using the regular Cisco process for TPS vulnerabilities in accordance with the Cisco Security Vulnerability Policy. For information about known TPS vulnerabilities that affect the firmware for these routers, consult the Cisco Bug Search Tool.

Affected Products

• These issues affect Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers when they are running a firmware release earlier than 1.5.1.05.

  Products Confirmed Not Affected

  Only products listed in the Affected Products section of this advisory are known to be affected by these issues.

  Updated Firmware

  Cisco removed the static certificates and keys and the hardcoded user account in firmware releases 1.5.1.05 and later for the Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers.

  Customers can download the firmware from the Software Center on Cisco.com by doing the following:

  1. Click Browse all.
  2. Choose Routers > Small Business Routers > Small Business RV Series Routers.
  3. Choose a specific product from the right pane of the product selector.
  4. Click Small Business Router Firmware.

Source

• Cisco would like to thank security researchers Stefan Viehböck and Thomas Weber of SEC Consult/IoT Inspector for reporting these issues.

URL

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-rv32x

Revision History

• Version	Description	Section	Status	Date
  1.0	Initial public release.	—	Final	2019-November-06

  Show Less