
8k Cisco RV320/RV325 routers are still leaking their admin credentials - bad_packets
https://badpackets.net/over-9000-cisco-rv320-rv325-routers-vulnerable-to-cve-2019-1653/#2019-03-28-update
======
threatofrain
> Cisco firmware update for RV320/RV325 routers simply blacklisted the user
> agent for curl.

Oh Cisco.

~~~
harry8
So, lawyers. Do we short cisco? Are they going to be sued out of existence.
They know the problem. They have claimed a fix that does absolutely nothing.
It will be the vector for a hack. Hundreds of thousands of people's personal
details will be stolen with Cisco responsible through criminal negligence or
worse.

Bye bye Cisco? (Bankrupt, assets sold off to other companies).

Or is this not going to happen because there's a computer involved so nobody
can switch their brain on and think in the entirety of both lawmaking and
enforcement?

~~~
zamadatix
It's not going to happen because that doesn't even make sense. This concept
"you will have perfect security or you will be fined out of existence" is just
a long way to saying "you will be fined out of existence" as there is no such
thing as perfect security or a security patch that covers every possible
attack.

~~~
diffeomorphism
There still is the fact that they released a non-fix but claimed it fixed it.
At that point it is not unreasonable to infer either negligence or bad faith.

Having "perfect security" is obviously not expected, but it is expected that
you act on receiving knowledge of risks in a reasonable manner instead of
basically writing a sign saying "please do not exploit" and wrongly claiming
you fixed it.

~~~
zamadatix
I guarantee the security patch didn't claim to permanently fix the class of
bug which is what I was getting at. Unless Cisco has been signing contract
agreements claiming their security patches will do <x> where <x> was something
that wasn't done here then you're essentially asking if they'll be sued into
the ground because you don't think their patch was good enough.

~~~
diffeomorphism
> you're essentially asking if they'll be sued into the ground because you
> don't think their patch was good enough

No, that is distinctly not what I am saying. Again, nobody demands a perfect
fix and a valid attempt is all that is needed. Their "patch" however is not a
valid attempt, not because it is not good enough, but because they are not
even trying but just pretending to do something.

The question thus is: You are notified of a big security problem and do
absolutely nothing, can you be sued for that? Since you are mentioning
contract agreements, it seems that the US does not have any minimum standards
here?

~~~
zamadatix
> Their "patch" however is not a valid attempt, not because it is not good
> enough, but because they are not even trying but just pretending to do
> something.

If not according to you than who? If not "I don't think that patch was a good
enough attempt" then what is the quantitative evaluation used to say "Cisco
never guaranteed security but it didn't meet base security measurements <x> or
<y> and is therefore responsible for $<z> of damages"? In fact the Cisco sales
and support contracts are going to state the opposite, as almost any software
does, because nobody is foolish enough to be in the position to agree blindly
their stuff is so good you'll never be hacked.

> You are notified of a big security problem and do absolutely nothing, can
> you be sued for that? Since you are mentioning contract agreements, it seems
> that the US does not have any minimum standards here?

The US has many laws about minimum standards but not "pass the buck" style by
default. E.g. a hospital doesn't get to pass the fine to Cisco because they
left the management interface open to the internet and someone hacked the
router to steal patient information in the same way it doesn't get to pass the
fine to HP for documents printed on an HP printer being stolen. The hospital
is responsible for providing the security it claims to provide. If it wants to
pass that responsibility to a 3rd party it needs some other agreement to
stating that as Cisco is not bound by HIPAA simply because the hospital bought
a Cisco switch (new or used).

It's more common that a role be outsourced than straight out responsibility
taken. Taking the example above Cisco isn't going to want to take
responsibility the router is secure unless they can manage the router's
security otherwise something like the above "they left the management
interface open to the internet" is going to bite them in the ass. A more
common example would be PCI compliance for small businesses can be outsourced
to a "use this blackbox register and payment system" with an insurance style
agreements in case you get fined but the business is not allowed to mess with
the black box.

