CVE-2019-1653
Published: 24 January 2019
Summary
CVE-2019-1653 is a high-severity Improper Access Control (CWE-284) vulnerability in Cisco Rv320 Firmware. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-14 (Permitted Actions Without Identification or Authentication).
Deeper analysis
The vulnerability is an information disclosure issue in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers. It stems from improper access controls on certain URLs, allowing retrieval of sensitive data such as the full router configuration or detailed diagnostic information without authentication.
An unauthenticated remote attacker can exploit the flaw by sending crafted HTTP or HTTPS requests to the affected device for specific URLs. A successful attack yields direct access to the router's configuration and diagnostics, corresponding to a CVSS 3.1 base score of 7.5 with network attack vector and high confidentiality impact.
Cisco has released firmware updates that address the vulnerability. Public exploit code and proof-of-concept files demonstrating unauthenticated configuration export and diagnostic data retrieval have been posted to sites such as Packet Storm and Seclists.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-10210
Vulnerability details
A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An…
more
attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access restrictions on management URLs so that unauthenticated remote requests for configuration or diagnostics are denied.
Limits privileges granted to unauthenticated sessions, preventing exposure of sensitive router data that should require explicit authorization.
Requires explicit identification and documentation of any actions permitted without authentication, eliminating the unintended exposure of configuration URLs.