Cisco has made mistakes with security updates for various routers. These updates were intended to close vulnerabilities in the RV320 and RV325 WAN VPN routers used by Internet security providers and enterprise users. However, the updates did not work.
One of the vulnerabilities was that a hacker had administrative commands executed on Cisco devices, without the need for a password. Another vulnerability allows hackers to obtain sensitive configuration details of a device without the need for a password. The vulnerabilities were discovered in January.
Cisco then rolled out security updates to resolve the issues. But according to researchers from security company RedTeam Pentesting, the vulnerabilities were still actively exploited by hackers, writes Silicon Angle.
Cisco has admitted to making mistakes. In a statement, the company says that “the first solution to this vulnerability appears to be incomplete”. The bigger problem is that there is no solution for the vulnerabilities. Cisco’s suggesting we work on this.
Problems
According to Lane Thames, senior security researcher at Tripwire, there were several errors in the security updates. “First of all, it shows that even the greatest creators of software and hardware do not have basic safe development practices in place.”
“The engineering behind this solution was quite immature when it comes to security, suggesting that even the engineers working on security issues sometimes don’t understand how to close vulnerabilities,” says Thames, saying the vulnerability was very basic and the result of poor input remediation. The solution should have contained an input sanatizer, which filters the input on special command line characters. Cisco wouldn’t have done that, though.
In addition, according to Thames, Cisco has not tested its solutions well enough. “The manufacturer should have worked better with the penetration testers that found the original vulnerabilities. These testers could have analyzed the patched firmware for Cisco, to confirm that it was a good solution, before it was made public.”
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.