Cybercriminals target Cisco routers after latest security patches

• The router models, RV110W, RV130W, and RV215W were earlier patched for a serious security vulnerability which enabled arbitrary code execution in these devices.
• One of the C programming functions could be modified to bypass authentication mechanisms, leaving it open to buffer overflow attacks.

Two days after Cisco released security updates for its router models, RV110W, RV130W, and RV215W, attackers have attempted exploiting these devices.

A tweet by security firm Bad Packets LLC indicated various instances of these routers being targeted again post the update release. It is believed that this is a consequence of a new bug disclosed by security firm Pen Test Partners.

Worth noting

• Earlier, Cisco addressed CVE-2019-1663 affecting the three models. The vulnerability allowed arbitrary code execution due to a flawed data validation in the router’s web-based interface.
• A PoC exploit disclosed by Pen Test Partners showed a C programming function “strcpy” which can be tweaked to make the authentication mechanism redundant.
• This can also lead to buffer overflows that can allow attackers to inject malicious code during authentication.

The fix

Thankfully, updates meant for CVE-2019-1663 work on resolving this buffer-overflow flaw. Routers having outdated software versions are still vulnerable. In fact, Pen Test Partners actually analyzed the model RV130W having a custom software version.

“The RV130, like a lot of routers and other embedded IoT devices, does not run Cisco IOS. Instead, it runs some form of embedded Linux. The majority of router-like functionality is handled by a small set of binaries which parse user input and make the router do useful router things. Most of the user input comes through the web interface – which is where we found this bug,” mentioned the firm’s blog.

Therefore, users of these router models are suggested to update them with the latest security patch.