Cisco has warned that a patch issued in January 2019 for some of its VPN routers didn’t work.
The company’s January 23rd advisory warned of “A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers” that “ could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands.”
“A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root,” the advisory added.
Which is bad. So Cisco tried to fix it up.
We say “tried” because on March 27th Cisco added a note to the original advisory that said “The initial fix for this vulnerability was found to be incomplete. Cisco is currently working on a complete fix. This document will be updated once fixed code becomes available.”
"Firmware updates that address this vulnerability are not currently available. There are no workarounds that address this vulnerability."
Which is bad. Because lots of users out there will think they’ve already fixed the problem with this product.
CRN will update this story once Cisco issues a fix that works. The company's not said when it expects that fix to arrive.