Attacks began two days after the release of Cisco patch, one day after the publication of demo exploit code by researchers. Two days after Cisco patched a serious vulnerability in a popular SOHO router brand, and one day after the release of proof-of-concept code, hackers started scanning and attacking to take over unpatched devices by exploiting the said security bug.
The vulnerability, tracked as CVE-2019-1663, was noteworthy when it was released on February 27 as it received a severity score of 9.8 out of a maximum of 10 from the Cisco team.
This is because the bug is trivial and does not need the advanced coding and complex attack routines; it completely circumvents authentication procedures; and routers can be attacked remotely via the Internet without attackers having to present physically in the same local network as the vulnerable device. Affected models include the Cisco RV110, RV130 and RV215, all of which are WiFi routers deployed in small businesses and households.
This means that the owners of these devices are unlikely to keep an eye on Cisco security alerts, and most of these routers will remain unpatched, unlike in large corporate environments where Cisco fixes would already have been deployed by IT personnel.
Over 12,000 of these devices are readily available online, with the vast majority in the US, Canada, India, Argentina, Poland, and Romania, according to a scan by cyber-security firm Rapid7. According to cyber-security firm Bad Packets, which reported scans on March 1, all of these devices are now under attack.
The company detected hackers scanning for these types of routers using an exploit that was published on Pen Test Partners ‘ blog a day earlier, a UK-based cyber security company. Together with two other Chinese security experts, it was one of the researchers from the Pen Test Partners who found this particular vulnerability last year.
In his blog post, Pen Test Partners blamed Cisco coders for the root cause of CVE-2019-1663 using an infamously insecure C programming language function-namely strcpy. The company’s blog post included an explanation of how to use this C programming function left the Cisco RV110, RV130 and RV215 routers ‘ authentication mechanism open to a buffer overflow that allowed attackers to flood the password field and attach malicious commands that were executed during authentication procedures.
Attackers who read the blog post appear to be taking over vulnerable devices using the example provided in the article on Pen Test Partners. Any owner of these devices will need to update at the earliest opportunity. If they believe that their router has been compromised, it is recommended to reflash the firmware of the device.