Vulnerabilities > CVE-2019-1828 - Use of a Broken or Risky Cryptographic Algorithm vulnerability in Cisco Rv320 Firmware and Rv325 Firmware

047910
CVSS 8.1 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
high complexity
cisco
CWE-327
nessus
NVD
Published: 2019-04-04
Updated: 2019-10-09

Summary

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to access administrative credentials. The vulnerability exists because affected devices use weak encryption algorithms for user credentials. An attacker could exploit this vulnerability by conducting a man-in-the-middle attack and decrypting intercepted credentials. A successful exploit could allow the attacker to gain access to an affected device with administrator privileges. This vulnerability affects Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers running firmware releases prior to 1.4.2.22.

Vulnerable Configurations

Part Description Count
OS
Cisco
38
Hardware
Cisco
2

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Encryption Brute Forcing
    An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.
  • Creating a Rogue Certificate Authority Certificate
    An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .
  • Signature Spoof
    An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.
  • Cryptanalysis
    Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key (instance deduction). Sometimes the weakness is not in the cryptographic algorithm itself, but rather in how it is applied that makes cryptanalysis successful. An attacker may have other goals as well, such as: 1. Total Break - Finding the secret key 2. Global Deduction - Finding a functionally equivalent algorithm for encryption and decryption that does not require knowledge of the secret key. 3. Information Deduction - Gaining some information about plaintexts or ciphertexts that was not previously known 4. Distinguishing Algorithm - The attacker has the ability to distinguish the output of the encryption (ciphertext) from a random permutation of bits The goal of the attacker performing cryptanalysis will depend on the specific needs of the attacker in a given attack context. In most cases, if cryptanalysis is successful at all, an attacker will not be able to go past being able to deduce some information about the plaintext (goal 3). However, that may be sufficient for an attacker, depending on the context.

Nessus

NASL familyCISCO
NASL idCISCO-SA-20190404-RV-WEAK-ENCRYPT.NASL
descriptionAccording to its self-reported version, this Cisco Small Business RV Series router is affected by multiple vulnerabilities: - A vulnerability in the Online Help web service of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the service.The vulnerability exists because the Online Help web service of an affected device insufficiently validates user-supplied input. An attacker could exploit this vulnerability by persuading a user of the service to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected service or access sensitive browser-based information. (CVE-2019-1827) - A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to access administrative credentials.The vulnerability exists because affected devices use weak encryption algorithms for user credentials. An attacker could exploit this vulnerability by conducting a man-in- the-middle attack and decrypting intercepted credentials. A successful exploit could allow the attacker to gain access to an affected device with administrator privileges. (CVE-2019-1828) Please see the included Cisco BIDs and Cisco Security Advisory for more information
last seen2020-06-01
modified2020-06-02
plugin id124061
published2019-04-15
reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/124061
titleCisco Small Business RV320 and RV325 Routers Multiple Vulnerabilities
code
#TRUSTED 4adf1f072c4ea622831bb3665ab47ff7d18cb9de185ed55ebb0ccade3e4485665c6c218567432a7da86c917da62ec8b5005ff1503b30c214226bc3002043f6d2613a15cce49540b56027b8f7e7fdfb569387478537f65d68e3c9821b3b5d2d7589335d056309825bb5717b58ae19601594eaf9e97330a35b461eea53e7d1ca61c79d5245e6385b1ca60e808be2de0cc3859d06931856ad225fa75af42634583d49035cb8540aece2ece0c8e0a33b3c0ae6eda5e1f06488d7e59410e13d51f53cd735743f405c1bcd4f4403d7e60a7e69627154de3e0623e7de25f29cfb43566b8f5d3289de6f927288387a81733c7e3079d87a336971e351596df123787b3de4b7de131dba9e7b6aa0d9fb0155f6f8055ec2ab3e6aec95a3521666d23b808dd3e6fbcf9eec548b952dfbb9485fc83576542f5aa8e8f67ab8490c046c3252a3d8d18c5443f37531ec5e4c128ef7e32df2c7f4240864f066308bd9cc1fea6178474c3c949d80bc019f6c3edb92eaa89d509318abde6166aa745eed3b64bb6b061cfacea734f0d1a7ede25c8349bd01103daed6ee1c9bbcf86c4edc62bc85a6baf730f44701c721ad5063e0876e1f339083b946bd7c8c7cdaa0586197d8886583631ab196ec52425d052daabdd4dcd232376516d7c5aee2dcb64633843ccd976905821022f3c36fcfbf195ad9964ecf320b248ce30d8bb9525f8ba92d8cdf92fe0d
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(124061);
  script_version("1.4");
  script_cvs_date("Date: 2019/12/20");

  script_cve_id("CVE-2019-1827", "CVE-2019-1828");
  script_xref(name:"CWE", value:"CWE-327");
  script_xref(name:"CWE", value:"CWE-79");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvp09589");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvp09573");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20190404-rv-xss");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20190404-rv-weak-encrypt");

  script_name(english:"Cisco Small Business RV320 and RV325 Routers Multiple Vulnerabilities");
  script_summary(english:"Checks the version of Cisco Small Business RV Series Router Firmware");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, this Cisco Small Business RV
Series router is affected by multiple vulnerabilities:

  - A vulnerability in the Online Help web service of Cisco
    Small Business RV320 and RV325 Dual Gigabit WAN VPN
    Routers could allow an unauthenticated, remote attacker
    to conduct a reflected cross-site scripting (XSS) attack
    against a user of the service.The vulnerability exists
    because the Online Help web service of an affected
    device insufficiently validates user-supplied input. An
    attacker could exploit this vulnerability by persuading
    a user of the service to click a malicious link. A
    successful exploit could allow the attacker to execute
    arbitrary script code in the context of the affected
    service or access sensitive browser-based information.
    (CVE-2019-1827)

  - A vulnerability in the web-based management interface of
    Cisco Small Business RV320 and RV325 Dual Gigabit WAN
    VPN Routers could allow an unauthenticated, remote
    attacker to access administrative credentials.The
    vulnerability exists because affected devices use weak
    encryption algorithms for user credentials. An attacker
    could exploit this vulnerability by conducting a man-in-
    the-middle attack and decrypting intercepted
    credentials. A successful exploit could allow the
    attacker to gain access to an affected device with
    administrator privileges. (CVE-2019-1828)

Please see the included Cisco BIDs and Cisco Security Advisory for
more information");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190404-rv-xss
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7ea0bf3d");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190404-rv-weak-encrypt
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?75b1813b");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp09589");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp09573");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID
CSCvp09589 & CSCvp09573");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1828");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/04/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/15");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:small_business_rv_series_router_firmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_small_business_detect.nasl");
  script_require_keys("Cisco/Small_Business_Router/Version", "Cisco/Small_Business_Router/Device");

  exit(0);
}

include("audit.inc");
include("cisco_workarounds.inc");
include("ccf.inc");

product_info = cisco::get_product_info(name:'Cisco Small Business RV Series Router Firmware');

vuln_list = [
  {'min_ver' : '0', 'fix_ver' : '1.4.2.22'}
];

reporting = make_array(
  'port'          , 0,
  'severity'      , SECURITY_WARNING,
  'fix'           , '1.4.2.22',
  'version'       , product_info['version'],
  'bug_id'        , 'CSCvp09589 & CSCvp09573',
  'disable_caveat', TRUE,
  'xss'           , TRUE
);

cisco::check_and_report(
  product_info:product_info,
  reporting:reporting,
  vuln_ranges:vuln_list,
  models:make_list('RV320', 'RV325')
);

Related news

References