Updated Just as Cisco is looking to close up more than two-dozen security flaws in networking boxes, researchers are claiming a set of previously-issued patches are failing to work properly.
Bug-hunters with German testing group RedTeam Pentesting GmbH said today that two fixes included in a recent update for the RV320 Gigabit WAN router family failed to fully address the bugs.
At issue are the January 23 fixes for:
- CVE-2019-1652, a remote-code execution hole, specifically a command injection flaw. The attacker would need to be logged-in with an admin account to target this bug.
- CVE-2019-1653, an information disclosure flaw that exposes diagnostic reports over the web interface without needing authentication. RedTeam notes the flaw could also be abused to collect configuration details.
In both cases, RedTeam says its team found that the flaws could still be exploited by an attacker despite Cisco's patches. Switchzilla agreed, and confirmed it was working on an update.
"The initial fix for this vulnerability was found to be incomplete," Cisco says of each bug.
"Cisco is currently working on a complete fix."
While admins await those updated firmware patches, Cisco also has security updates out for IOS, the operating system that runs most of its routers and switches, this week. Of the 25 CVE-listed vulnerabilities addressed by the update, 19 are for issues Cisco classifies as high risk.
These include a remotely exploitable (with authentication) file upload bug in IOS XE as well as multiple fixes for remotely exploitable no-authentication-needed denial of service vulnerabilities related to the handling of DNS, IP SLA, and ISDN packets and commands. ®
Updated to add
Turns out Cisco's original fix for the holes in its RV320 router family involved, er, blocking Curl, or any user agent that declared itself as Curl, which obviously can be circumvented, hence the need for a better set of patches.