In a strange turn of events for an otherwise standup company, Cisco Systems Inc. has bungled security updates for a number of its routers.

Security flaws that affect Cisco RV320 and RV325 WAN VPN routers used by internet security providers and enterprises users were allegedly addressed in a previous update but failed to work. The vulnerabilities in question, one that allows a hacker to run administrative commands on the Cisco devices without a password and another that allows a hacker to get sensitive device configuration details without a password, were first detected in January.

Detailed Wednesday by researchers at cybersecurity firm RedTeam Pentesting GmbH, the flaws are said to be actively exploited by hackers.

To its credit, Cisco owned up to the bungle, saying in a security advisory that “the initial fix for this vulnerability was found to be incomplete.” The bad news is that currently a patch for the vulnerabilities is not available, though Cisco said it’s working on a fix.

Lane Thames, senior security researcher at Tripwire Inc. told SiliconANGLE that there are a couple interesting failures related to the botched fix.

“First, this shows that even the largest of software and hardware vendors don’t have basic secure development practices in place,” Thames said. “The engineering behind this fix was quite immature with respect to security and indicates that even the engineers involved with fixing security bugs sometimes don’t understand how to fix vulnerabilities.”

In particular, he explained, “the command injection vulnerability, in this case, was very basic (trivial to prevent, trivial to fix) and is due to improper input sanitization. Cisco tried to fix the issue by blacklisting a particular ‘User Agent,’ when the real fix should have been implementing an input sanitizer that filters the input for special command line characters.”

Thames said many libraries implement that filtering. “Using appropriate libraries that help us prevent security issues in code is key nowadays,” he said. “There have been many patches released over the years to fix vulnerabilities that were blotched due to developers implementing home-grown fixes to a problem instead of using a good library.”

The second involves failing to do good testing, he added. “Particularly, the vendor should have worked closer with the penetration testers who found the original vulnerabilities,” he said. “These testers could have analyzed the patched firmware for Cisco to confirm a good fix before releasing the patch to the public.”

Photo: Cisco