CVE-2019-1828
Current Description
A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to access administrative credentials. The vulnerability exists because affected devices use weak encryption algorithms for user credentials. An attacker could exploit this vulnerability by conducting a man-in-the-middle attack and decrypting intercepted credentials. A successful exploit could allow the attacker to gain access to an affected device with administrator privileges. This vulnerability affects Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers running firmware releases prior to 1.4.2.22.
Basic Data
| Published | April 04, 2019 |
|---|
| Last Modified | October 09, 2019 |
|---|
| Assigner | cve@mitre.org |
|---|
| Data Type | CVE |
|---|
| Data Format | MITRE |
|---|
| Data Version | 4.0 |
|---|
| Problem Type | CWE-327 |
|---|
| CVE Data Version | 4.0 |
|---|
Base Metric V2
| CVSS 2 - Version | 2.0 |
|---|
| CVSS 2 - Vector String | AV:N/AC:M/Au:N/C:P/I:N/A:N |
|---|
| CVSS 2 - Access Vector | NETWORK |
|---|
| CVSS 2 - Access Complexity | MEDIUM |
|---|
| CVSS 2 - Authentication | NONE |
|---|
| CVSS 2 - Confidentiality Impact | PARTIAL |
|---|
| CVSS 2 - Availability Impact | NONE |
|---|
| CVSS 2 - Base Score | 4.3 |
|---|
| Severity | MEDIUM |
|---|
| Exploitability Score | 8.6 |
|---|
| Impact Score | 2.9 |
|---|
| Obtain All Privilege | false |
|---|
| Obtain User Privilege | false |
|---|
| Obtain Other Privilege | false |
|---|
Base Metric V3
| CVSS 3 - Version | 3.0 |
|---|
| CVSS 3 - Vector String | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
|---|
| CVSS 3 - Attack Vector | NETWORK |
|---|
| CVSS 3 - Attack Complexity | HIGH |
|---|
| CVSS 3 - Privileges Required | NONE |
|---|
| CVSS 3 - User Interaction | NONE |
|---|
| CVSS 3 - Scope | UNCHANGED |
|---|
| CVSS 3 - Confidentiality Impact | HIGH |
|---|
| CVSS 3 - Integrity Impact | HIGH |
|---|
| CVSS 3 - Availability Impact | HIGH |
|---|
| CVSS 3 - Base Score | 8.1 |
|---|
| CVSS 3 - Base Severity | HIGH |
|---|
| Exploitability Score | 2.2 |
|---|
| Base Severity | HIGH |
|---|
Configurations
-
AND
-
OR - Configuration 1
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | OS | Cisco | Rv320 Firmware | * | * | * | * | * | * | * | * | � | � | � | 1.4.2.22 |
-
OR Running on/with:
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | Hardware | Cisco | Rv320 | - | * | * | * | * | * | * | * | � | � | � | � |
-
AND
-
OR - Configuration 2
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | OS | Cisco | Rv325 Firmware | * | * | * | * | * | * | * | * | � | � | � | 1.4.2.22 |
-
OR Running on/with:
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | Hardware | Cisco | Rv325 | - | * | * | * | * | * | * | * | � | � | � | � |
Vulnerable Software List
References
| Name | Source | URL | Tags |
|---|
| 107774 | http://www.securityfocus.com/bid/107774 | BID | Third Party Advisory VDB Entry |
| 20190404 Cisco Small Business RV320 and RV325 Routers Weak Credential Encryption Vulnerability | https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190404-rv-weak-encr | CISCO | Vendor Advisory |
Follow @discotekdotca