Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3242
Views
10
Helpful
9
Replies

rv325 accidentally opens ports 8007 and 8008 to remote management

scottdcarson
Level 1
Level 1

‎09-21-2017 08:22 AM - edited ‎03-21-2019 10:55 AM

Apologies in advance: I posted this to a different (wrong) forum and don't see how to move it, so here's a cross post.
I have an rv325 with firmware version 1.4.2.15 (the latest as of now). I recently performed the upgrade to this firmware.
I don't allow anything to connect to it from the outside except for port 443, which I have forwarded to an internal server. Remote management is disabled (the "enable" box is unchecked) on the Firewall/General screen.
I port-scanned the system from the outside using nmap. Surprise - tcp ports 8007 and 8008 were open. Even bigger surprise, port 8007 was the management interface - over http (not https)! I was able to log in successfully.
I was able to mitigate this by creating a firewall rule to block these two ports from the WAN. But ...if I hadn't run the scan, I would have never known this. As far as I can tell, there's no setting to either enable or disable this behavior. Isn't this a pretty major security flaw? How many people have these ports open and don't know it?

6 people had this problem
Labels:
9 Replies 9

train_wreck
Level 1
Level 1

‎09-24-2017 12:04 AM

Wow. You know, I recall some consumer routers at one time left "undocumented" ports open on the WAN so that their support personnel could login to customer's routers when they called to get support. It was a VERY dubious practice that didn't get much traction (at least, I hope). Belkin used TCP 32764 IIRC. The RV series was originally part of the Linksys purchase, and apart from GUI config page branding I don't think much was changed about them initially.

 

Cisco recently updated the line with newer hardware design and a slightly modified firmware featureset, and fortunately I can confirm that an nmap scan of the whole TCP port range shows no management enabled:

 

[bash@TESTROUTER]#] nmap -T4 -p1-65535 <WAN IP of Cisco RV345P>

Starting Nmap 6.46 ( http://nmap.org ) at 2017-09-23 06:51 CDT
Nmap scan report for <WAN IP of Cisco RV345P>
Host is up (0.00088s latency).
Not shown: 65534 filtered ports
PORT     STATE  SERVICE
1723/tcp closed pptp
MAC Address: EC:BD:1D:--:--:-- (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 405.94 seconds

Until the recent update, the RV series felt pretty abandoned by Cisco...

0 Helpful

scottdcarson
Level 1
Level 1
In response to train_wreck

‎09-29-2017 05:13 AM

That's good, but you're testing an rv345.  There are many people still using the rv32x devices, and I would think that Cisco would be concerned about leaving them vulnerable, especially in a way that's not documented and not likely to be noticed.  Note that these ports were not open in an earlier release of the firmware I'm running on another identical router.

I would have hoped that someone from cisco might have suggested there would be a bug fix for this.

0 Helpful

line_noise
Level 1
Level 1

‎10-02-2017 08:02 PM

I can confirm that I'm seeing this behaviour on 1.4.2.15 firmware RV325s as well.

 

8007 and 8008 exposed.  I can log in via 8007 using the cisco user credientials.

 

This seems like one that needs urgent patching.

Lee Cox
Level 2
Level 2
In response to line_noise

‎10-10-2017 12:09 AM

Did you try adding an ACL to block port 8007 and 8008? Does it work?

0 Helpful

line_noise
Level 1
Level 1
In response to Lee Cox

‎10-12-2017 09:20 PM

Specifically blocking it works but the assumption amongst most users would be that those ports are closed by default.

0 Helpful

scottdcarson
Level 1
Level 1
In response to Lee Cox

‎10-12-2017 09:56 PM

As I said in the original post:

   "I was able to mitigate this by creating a firewall rule to block these two ports from the WAN."

So yes.  But unless you know to do this, the ports are left open by default.

0 Helpful

Clearsource
Level 1
Level 1
In response to scottdcarson

‎10-17-2017 07:41 PM

I just ran a PCI scan from one of the PCI Scan "scammers" ... and port 8007 came back as open. 

 

I had just updated to the latest firmware. Now to replace that firewall ASAP. 

 

It's very telling really ... Cisco quality has dropped off a cliff. Time to find a new vendor. 

0 Helpful

Larry Gelencser
Level 1
Level 1
In response to Clearsource

‎12-05-2017 01:47 PM - edited ‎12-05-2017 01:51 PM

Version 1.4.2.15 is what caused this! Cisco released 1.4.2.17 to resolve these ports so no need to make a rule.

 


Cheers!

0 Helpful

support
Level 1
Level 1

‎03-17-2018 10:35 AM

I have several of these routers implemented and I can confirm on the routers that I haven't gotten round to updating that these ports aren't shown as open, on the latest firmware however the following ports are showing as open on a completely fresh firmware with default configuration.

 

Discovered open port 80/tcp on 
Discovered open port 53/tcp on 
Discovered open port 443/tcp on 
Discovered open port 8443/tcp on 
Discovered open port 8007/tcp on 
Discovered open port 8008/tcp on 
Discovered open port 8000/tcp on

 

Remote management port 443 is also un-ticked in the GUI so no reason for 443 to be opened.

0 Helpful
Customers Also Viewed These Support Documents