CVE-2022-20699, CVE-2022-20700, CVE-2022-20708: Critical Flaws in Cisco Small Business RV Series Routers

Read Time:3 Minute, 48 Second

Cisco patches 15 flaws in Cisco Small Business RV Series Routers, including three with critical 10.0 CVSSv3 scores.

Update February 4: Cisco has updated their advisory to announce partial patches for the RV160 and RV260 Series Routers. The Solution section has been updated with this information.

Background

On February 2, Cisco published an advisory for 15 vulnerabilities in its Small Business RV Series Routers. Three of the 15 vulnerabilities listed in the advisory received a CVSSv3 score of 10.0, the highest possible rating.

CVE
Type
CVSSv3
Cisco BugIDs

CVE-2022-20699
Remote Code Execution Vulnerability
10.0
CSCwa13836

CVE-2022-20700
Privilege Escalation Vulnerability
10.0
CSCwa14564, CSCwa14565

CVE-2022-20701
Privilege Escalation Vulnerability
9.0
CSCwa12836, CSCwa13119

CVE-2022-20702
Privilege Escalation Vulnerability
6.0
CSCwa15167, CSCwa15168

CVE-2022-20703
Digital Signature Verification Bypass Vulnerability
9.3
CSCwa12748, CSCwa13115

CVE-2022-20704
SSL Certificate Validation Vulnerability
4.8
CSCwa13205, CSCwa13682

CVE-2022-20705
Improper Session Management Vulnerability
5.3
CSCwa14601, CSCwa14602, CSCwa32432, CSCwa54598

CVE-2022-20706
Command Injection Vulnerability
8.3
CSCwa14007, CSCwa14008

CVE-2022-20707
Command Injection
7.3
CSCwa12732

CVE-2022-20708
Command Injection
10.0
CSCwa13900

CVE-2022-20749
Command Injection
7.3
CSCwa36774

CVE-2022-20709
Arbitrary File Upload
5.3
CSCwa13882

CVE-2022-20710
Denial of Service
5.3
CSCvz88279, CSCvz94704

CVE-2022-20711
Arbitrary File Overwrite
8.2
CSCwa13888

CVE-2022-20712
Remote Code Execution
7.3
CSCwa18769, CSCwa18770

Analysis

CVE-2022-20699 is a remote code execution (RCE) vulnerability in the Cisco RV340, RV340W, RV345 and RV345P Dual WAN Gigabit Routers. According to Cisco, the flaws exist due to an insufficient boundary check within the Secure Socket Layer Virtual Private Network (SSL VPN) module of these devices. A remote, unauthenticated attacker could exploit this flaw by sending a specially crafted HTTP request to a vulnerable device that is “acting as an SSL VPN Gateway.” Successful exploitation would grant an attacker arbitrary code execution on the device with root privileges.

CVE-2022-20700, CVE-2022-20701, CVE-2022-20702 are elevation of privilege vulnerabilities in the RV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345 and RV345P routers. According to Cisco, these vulnerabilities reside in the web-based management interface of its Cisco Small Business RV Series Routers. The most severe of these three flaws is CVE-2022-20700. A remote, unauthenticated attacker could exploit this vulnerability by “submitting specific commands” to a vulnerable device. Successful exploitation would elevate the attacker’s privileges, allowing them to execute arbitrary commands as root.

CVE-2022-20707, CVE-2022-20708 and CVE-2022-20749 are RCE vulnerabilities in the Cisco RV340, RV340W, RV345 and RV345P Dual WAN Gigabit Routers. The most severe of these three flaws is CVE-2022-20708. According to Cisco, all three vulnerabilities reside in the web-based management interface of these devices. A remote, unauthenticated attacker could exploit these vulnerabilities by sending a specially crafted input to a vulnerable device. Successful exploitation would grant an attacker arbitrary command execution privileges at the operating system level.

At least 8,400 RV34X devices are publicly accessible

According to searches conducted on Shodan, there are at least 8,400* publicly accessible RV34X devices.

Router Model
Results

RV345
1,706

RV345P
616

RV340W
607

RV340
5,472

Total
8,401

*These results were captured on February 2, 2022

Proof of concept

In its advisory, Cisco says they are aware of proofs-of-concept (PoC) exploits for several of the vulnerabilities patched. However, none of the PoCs were hosted on public repositories like GitHub at the time this blog was published.

Solution

Cisco has released fixes for all 15 vulnerabilities for the RV340 and RV345 Series Routers. For the RV160 and RV260 Series routers, five of the vulnerabilities have been addressed in firmware release 1.0.01.07. The Cisco advisory notes that the additional fixes are expected soon. We recommend referring to the advisory to stay up to date on additional patches and recommendations from Cisco.

Product Identifier
Vulnerable Version
Fixed Version

RV160, RV160W, RV260, RV260P, RV260W
1.0.01.05 and below
1.0.01.07

RV340, RV340W, RV345 and RV345P
1.0.03.24
1.0.03.26 and above

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Cisco Security Advisory

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More

Zero trust with zero passwords – free guide explains what you need to know

Read Time:21 Second

Graham Cluley Security News is sponsored this week by the folks at HYPR. Thanks to the great team there for their support! A new guide provides practical guidance for eliminating passwords to accelerate your Zero Trust strategy, and explains how Zero Trust can increase business agility. The free guide, by the analysts at The Cyber … Continue reading “Zero trust with zero passwords – free guide explains what you need to know”

Read More

Interview with the Head of the NSA’s Research Directorate

Read Time:1 Minute, 10 Second

MIT Technology Review published an interview with Gil Herrera, the new head of the NSA’s Research Directorate. There’s a lot of talk about quantum computing, monitoring 5G networks, and the problems of big data:

The math department, often in conjunction with the computer science department, helps tackle one of NSA’s most interesting problems: big data. Despite public reckoning over mass surveillance, NSA famously faces the challenge of collecting such extreme quantities of data that, on top of legal and ethical problems, it can be nearly impossible to sift through all of it to find everything of value. NSA views the kind of “vast access and collection” that it talks about internally as both an achievement and its own set of problems. The field of data science aims to solve them.

“Everyone thinks their data is the messiest in the world, and mine maybe is because it’s taken from people who don’t want us to have it, frankly,” said Herrera’s immediate predecessor at the NSA, the computer scientist Deborah Frincke, during a 2017 talk at Stanford. “The adversary does not speak clearly in English with nice statements into a mic and, if we can’t understand it, send us a clearer statement.”

Making sense of vast stores of unclear, often stolen data in hundreds of languages and even more technical formats remains one of the directorate’s enduring tasks.

Read More

Smashing Security podcast #260: New hire mystery, hacktivist ransomware, and digi-dating

Read Time:21 Second

Who’s that new guy working at your company, and why don’t you recognise him from the interview? How are hacktivists raising the heat in Belarus? And should you be fully vaxxed for your online date?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

Read More

Using KPIs to generate results in Cybersecurity

Read Time:4 Minute, 52 Second

Gaining investment from business leaders to create a mature cybersecurity program and fund initiatives is an imperative for success in enterprise risk mitigation. All too often, security and IT organizations struggle to capture the attention of executives needed to advance their priorities and build even basic cybersecurity capabilities.

Year after year, important initiatives get deprioritized for other business initiatives, pushing out the adoption of important technologies or funding of headcount to manage critical processes. The result is an organization with increasing exposure to risk and unwanted cybersecurity challenges. Fundamental capabilities for effective security operations that improve visibility, such as a SIEM, are deemed too expensive.

What strategies can cybersecurity staff use to cut through the noise of competing business initiatives and get the focus and investment they need to achieve their objectives? Or to properly fund the adoption of a new technology or capability? 

One way is to build a reporting system that speaks executive language and abstracts difficult to understand technology into business concepts: risk, reward, performance objectives, metrics, and success. Simply establishing what the basic priorities of a cybersecurity program are and then formally reporting out on key performance indicators on a regular basis can have a profound impact. What an organization chooses to pay attention naturally grows. 

What is reported can vary from organization to organization, depending on the operating environment, the type of data transmitted and stored, and regulatory and compliance standards in play, to name a few. A guiding principle should be simplicity; too many data points create noise and inaction. At a minimum, many organizations will look at the attack surface, vulnerabilities and exposures, incidents, and employee training as a good starting point. 

Asset management

Asset management is at the core of every program. It’s impossible to guard what you don’t know or see, and yet most organizations fail to have a full grasp of their basic IT footprint. Every piece of hardware and software owned by an organization must be accounted for and every connection to its networks and infrastructure from ancillary systems monitored.

Shadow IT, Bring Your Own Device, and Work from Anywhere have exacerbated these challenges as traditional network edges evaporate and the flow of corporate data across untrusted networks and devices has become increasingly common. This complicated patch work is the corporation’s attack surface. Reporting the scope of that footprint, at the very least, demonstrates awareness of what matters to the organization.

Surprisingly, many organizations can’t easily quantify how many servers they own, the type of operating systems they run, the number of workstations and mobile devices they have, or even where their assets are at any given point in time. This knowledge is fundamental and reporting it regularly to executives ensures that they appreciate the scope of the program while also establishing a priority to keep data fresh and consistently update to date. 

Vulnerabilities and patch management

This is perhaps one of the most impactful KPIs, not only because it’s so important in protecting the enterprise, but because it’s a constantly moving target (NIST’s National Vulnerability Database boasts greater than 17,000 submitted CVEs just this year). The vast majority of data breaches (upwards of 90%) leverage exploitation of a known vulnerability.

An effective vulnerability management program should involve scanning to identify new vulnerabilities in their infrastructure on a regular basis. KPIs around this can include the number of existing vulnerabilities discovered in the organization over the reporting period, categorization by CVE, how quickly they are patched after discovery, and graphs that linearly show reduction in vulnerabilities over time.

Cyber incidents

A risk register that tracks every incident in the organization, its severity, the resolution, and lessons learned is a must. Raising awareness to incident quantity, associated impacts to the business, efforts to determine root cause, and mitigations are essential.

Many organizations lack even a fundamental classification system that is well understood across the company. Socializing with executives the incidents from the last reporting period reinforces a shared understanding of what constitutes a Level 1 versus a Level 4 incident, the organization’s expected response, who should be notified, etc. A KPI review keeps these classification systems top of mind and also improves overall organizational readiness when new incidents occur.

Employee training

Performance metrics can include the progress of employee training and awareness campaigns, structured training (online and in-person), initiatives that focus on core concepts (such as thinking before clicking, or how a clean desk is a cybersecurity priority), or the lessons learned from a recent tabletop exercise.

All make for great topics of discussion with executive stakeholders. Many organizations get fun and creative in this area, coming up with security mascots or even inter-business unit competitions.

Getting started

For organizations that are early in the KPI development journey, a great launch point is a Balanced Scorecard. This innovative approach to change management helps:

clarify vision, mission, and strategic themes
gain alignment and buy-in
break through organizational silos
define key objectives, initiatives, and success metrics
inform dashboard content

Initially designed by Dr. Robert Kaplan and Dr. David Norton for performance management, this framework can be valuable tool for a security team to organize their strategy and distill out simple measures of success. 

Cultivate curiosity 

Perhaps the best value of a KPI review is the simple act of cultivating curiosity. KPI reviews are an opportunity for executives to question the what and the why; to inquire more deeply. Provoking curiosity inherently creates focus, attention, and concern. Cultivating it is one of the powerful catalysts a security team can use in maturing cybersecurity program.

Many technologists, buried in complexities of engineering solutions and securing bits and bytes, underutilize this simple strategy to keep their priorities top of mind with business leaders. Cultivate curiosity, generate questions, and watch investment in your ideas and programs grow.

Read More

Growing Number of Phish Kits Bypass MFA

Read Time:1 Minute, 47 Second

Growing Number of Phish Kits Bypass MFA

Phishing kits designed to circumvent multi-factor authentication (MFA) by stealing session cookies are increasingly popular on the cybercrime underground, security researchers at Proofpoint have warned.

After years of prompting by security teams and third-party experts, MFA finally appears to have reached a tipping point of user adoption. Figures from Duo Security cited by Proofpoint in a new blog today claim that 79% of UK and US users deployed some kind of second-factor authentication in 2021 versus 53% in 2019.

However, the threat landscape is changing as a result. Phishing kits offer a cheap-and-easy way for budding cyber-criminals to launch and monetize campaigns.

“In recent years, Proofpoint researchers have observed the emergence of a new type of kit that does not rely on recreating a target website. Instead, these kits use a transparent reverse proxy to present the actual website to the victim,” the firm explained.

“Modern web pages are dynamic and change frequently. Therefore, presenting the actual site instead of a facsimile greatly enhances the illusion an individual is logging in safely. Another advantage of the reverse proxy is that it allows the threat actor to man-in-the-middle (MitM) a session and capture not only the usernames and passwords in real-time, but also the session cookie.”

These cookies can then be used to access a targeted account without needing a username, password or MFA token.

Proofpoint has already noticed an uptick in the availability of such phishing kits and warned that the trend would only increase as MFA becomes more popular. They include “Modlishka,”  “Muraena/Necrobrowser” and “Evilginx2.”

“We are now in 2022, the pandemic still rages, many workers are still working from home and many may not return to the office. As more companies follow Google’s lead and start requiring MFA, threat actors will rapidly move to solutions like these MitM kits,” Proofpoint concluded.

“They are easy to deploy, free to use, and have proven effective at evading detection. The industry needs to prepare to deal with blind spots like these before they can evolve in new unexpected directions.”

Read More

Target releases web skimming detection tool Merry Maker as open source

Read Time:49 Second

Web skimming has been a major scourge for online shops over the past several years with attacks ranging from simple script injections into payment forms to sophisticated compromises of legitimate third-party scripts and services. Sometimes referred to as Magecart attacks, they have become the leading cause of card-not-present (CNP) fraud and have impacted small and big brands alike, as well as different types of ecommerce platforms.

As one of the top online retailers, Target started looking for solutions a few years ago to combat this threat and keep its own customers protected while shopping on its platform. Since there were no ready-made detection tools for such attacks at the time, two of the company’s security engineers decided to develop their own. After being in active use on Target.com for over three years, the company’s client-side scanner has now been released as an open-source project dubbed Merry Maker.

To read this article in full, please click here

Read More

Why buy now, pay later is the next big fraud risk for retailers

Read Time:38 Second

Retailers are offering customers more buy now, pay later (BNPL) finance purchasing options to drive sales across a wide range of products. Shoppers can get instant credit at the point of sale (POS) and then delay or spread payments (often at no extra cost) instead of paying outright at the time of purchase. This can appeal to consumers and has proven to be particularly popular during busy shopping periods such as Black Friday and the holiday season.

However, BNPL is also capturing the attention of online fraudsters. While it is maturing with new providers and products coming to the market, so too are the risks of fraud for retailers as cybercriminals look to exploit the BNPL process.

To read this article in full, please click here

Read More

Apple AirTag and other tagging devices add to CISO worries

Read Time:51 Second

We tag content, devices and our belongings. Tagging is ubiquitous today, in early 2022, but it wasn’t always the case.

Stepping back into history, the late 1990s and early 2000s saw the unsavory side of competitive intelligence in Silicon Valley, with companies having their trash dumpsters siphoned for useful information, pretext calling to elicit inside information, and the wholesale theft of electronic devices. Stories ad infinitum exist of teams finishing an engineering meeting and heading down to Chevy’s for dinner and putting their laptops in the trunk of the vehicle and heading into the eatery, only to find the trunk had been jacked and all the laptops missing. Same at the local sports fields, parents would arrive, throw their bag/device into the trunk only to find it gone when they returned. Such was the frequency both the San Jose and Milpitas police began placing signage in shopping centers reminding individuals to take their belongings with them.

To read this article in full, please click here

Read More