Cisco's RV320 and RV325 router models for small offices and small businesses remain vulnerable to two high-severity flaws two months after the vendor announced the availability of patches. The fixes failed their purpose and attackers can still chain the bugs to take control of the devices.

Both glitches are in the web management interface of the routers and allow attackers to retrieve sensitive information (CVE-2019-1652) and run commands remotely with admin privileges (CVE-2019-1653).

Cisco's mitigation consisted of making the router firmware blacklist the user agent name for the 'curl' command-line tool used for transferring data online.

This was supposed to stop retrieving the sensitive information from the router when using the "curl" user agent name. However, simply changing the user agent in the HTTP client makes this "protection" useless.

German company RedTeam Pentesting initially reported the two bugs privately to Cisco on September 28, 2018, and agreed to publish details and proof-of-concept (PoC) code when patches would also become available to users, on  January 23, 2019. A day after, security researcher David Davidson released exploit code on GitHub.

Hackers were quick to take advantage the new opportunity and searched the web for RV320 and RV325 routers. At that time, Troy Murch of Bad Packets saw more than 9,500 vulnerable devices exposed on the web.

Scanning activity is ongoing and it can lead to dire consequences. According to Mursch, there are currently over 8,800 routers reachable online that leak their configuration file with administrator credentials.

Almost 4,000 are in the US on the Comcast network, while the rest are spread across the world. The researcher published a document with scan results from today.

Fix is on its way, delivery date unknown

In an updated security advisory, Cisco admits that the initial fix was not enough to fix the issue and informs that there are no firmware updates or workarounds to address the problem.

"The initial fix for this vulnerability was found to be incomplete. Cisco is currently working on a complete fix. This document will be updated once fixed code becomes available," reads the revised advisory.

There is no timeline for its arrival, though. In the meantime, businesses using vulnerable systems should not expose the equipment directly to the web.

If this is not feasible, they should consider a more secure way for remote access to the web management interface. Depending on the network configuration, using a VPN connection and/or limiting access from trusted devices typically eliminates the risk of a direct attack.

RedTeam Pentesting notified Cisco of the incomplete patch on February 8 and sent a PoC to demonstrate the faulty mitigation of the issue.

In mid-February, the researchers informed Cisco that they would disclose the vulnerabilities publicly on March 27, thus giving the vendor more than 30 days to come up with a proper solution.

Cisco asked to postpone the disclosure but RedTeam Pentesting did not budge this time.