Two critical vulnerabilities in small business routers first flagged months ago have yet to receive adequate fixes despite regular rounds of patching.
A pair of critical bugs in Cisco's RV320 and RV325 Dual Gigabit WAN VPN Routers were issued with initial fixes that were found to be incomplete, the company has admitted.
These failed patches were attempted as part of a wave of fixes issued yesterday, largely to plug gaps in the firm's IOS and IOS XE software.
There were 25 issues fixed in total, six of which were rated 'medium' while 19 were considered high-risk. Among this round of patches were patches for several command injection vulnerabilities and privilege escalation flaws.
"The initial fix for this vulnerability was found to be incomplete," the networking giant said of both bugs. "Cisco is currently working on a complete fix."
Both flaws were first flagged on 23 January this year, but there have been no successful fixes or workarounds identified to date. The company then elaborated on the nature of the bugs two days later.
The first, dubbed CVE-2019-1652, concerns a remote-code execution hole that, if exploited, could allow a remote attacker with admin privileges to execute arbitrary commands on one of the affected routers. The second, CVE-2019-1653, could allow an attacker to retrieve sensitive information such as router configuration or detailed diagnostic information.
The information disclosure flaw is due to improper access controls for URLs, whereby an attacker can connect to an affected device through HTTP or HTTPS and request specific URLs. The remote-code execution vulnerability, meanwhile, can be exploited by sending malicious HTTP POST requests to a router's web-based management interface.
Cyber security expert Graham Cluley told IT Pro the fact both vulnerabilities remain unpatched was troubling news for small business.
"In both of these cases, Cisco thought it had previously fixed the vulnerability in January - but has now found that it had failed to do so properly.
"The bad news for small businesses who might be using these devices is that Cisco doesn't currently have a working patch, and is unable to even suggest a workaround. The potential is therefore there for online criminals to try to exploit the flaws which Cisco itself has rated as high severity.
"Let's hope that Cisco is able to roll out a working firmware update sooner rather than later."
Cisco says it aims to fix the vulnerabilities, which are present in routers running Firmware Release 1.4.2.15 and later, with an updated Firmware version. This is expected to be released by the middle of April 2019.
-
Enterprises face delicate balancing act with data center sustainability goalsNews High energy consumption, raw material requirements, and physical space constraints are holding back data center sustainability efforts, according to new research from Seagate.
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Hacker steals $566 million from Binance Bridge using proof-forgery exploitNews An exploit discovered in the exchange platform's proof verifier let the hacker take 2m BNB without raising alarm bells
-
WordPress plugin vulnerability leaves sites open to total takeoverNews Customers on WordFence's paid tiers will get protection from the WPGate exploit right away, but those on the free-tier face a 30-day delay
-
Zoom patches privilege escalation flaw for macOS usersNews Threat actors were able to use the application’s updater to distribute malicious files at superuser level
-
GPS tracker exploit puts the world's most high-value individuals in real-world dangerNews Vulnerabilities in a GPS tracker used by governments, militaries, and Fortune 50 companies could be used to track the locations of high-value targets and disable emergency service vehicles
-
Researcher awarded $50,000 for discovering Samsung Galaxy S21 hackNews UK researcher Sam Thomas won the Pwn2Own bounty using a "unique three-bug chain"
-
Microsoft patches Internet Explorer zero-day under active attackNews The latest wave of Patch Tuesday fixes also included several updates to address the Print Spooler component in Windows
-
US officials warn of “mass exploitation” of Atlassian Confluence flawNews Hackers can exploit the workplace collaboration platform to execute arbitrary code remotely
-
Microsoft makes second attempt to fix PrintNightmare flawNews The Patch Tuesday fix is included among updates for 117 separate flaws, including four vulnerabilities that are under attack
