Cisco patches 15 flaws in Cisco Small Business RV Series Routers, including three with critical 10.0 CVSSv3 scores.

Background

On February 2, Cisco published an advisory for 15 vulnerabilities in its Small Business RV Series Routers. Three of the 15 vulnerabilities listed in the advisory received a CVSSv3 score of 10.0, the highest possible rating.

CVE
Type
CVSSv3
Cisco BugIDs

CVE-2022-20699
Remote Code Execution Vulnerability
10.0
CSCwa13836

CVE-2022-20700
Privilege Escalation Vulnerability
10.0
CSCwa14564, CSCwa14565

CVE-2022-20701
Privilege Escalation Vulnerability
9.0
CSCwa12836, CSCwa13119

CVE-2022-20702
Privilege Escalation Vulnerability
6.0
CSCwa15167, CSCwa15168

CVE-2022-20703
Digital Signature Verification Bypass Vulnerability
9.3
CSCwa12748, CSCwa13115

CVE-2022-20704
SSL Certificate Validation Vulnerability
4.8
CSCwa13205, CSCwa13682

CVE-2022-20705
Improper Session Management Vulnerability
5.3
CSCwa14601, CSCwa14602, CSCwa32432, CSCwa54598

CVE-2022-20706
Command Injection Vulnerability
8.3
CSCwa14007, CSCwa14008

CVE-2022-20707
Command Injection
7.3
CSCwa12732

CVE-2022-20708
Command Injection
10.0
CSCwa13900

CVE-2022-20749
Command Injection
7.3
CSCwa36774

CVE-2022-20709
Arbitrary File Upload
5.3
CSCwa13882

CVE-2022-20710
Denial of Service
5.3
CSCvz88279, CSCvz94704

CVE-2022-20711
Arbitrary File Overwrite
8.2
CSCwa13888

CVE-2022-20712
Remote Code Execution
7.3
CSCwa18769, CSCwa18770

Analysis

CVE-2022-20699 is a remote code execution (RCE) vulnerability in the Cisco RV340, RV340W, RV345 and RV345P Dual WAN Gigabit Routers. According to Cisco, the flaws exist due to an insufficient boundary check within the Secure Socket Layer Virtual Private Network (SSL VPN) module of these devices. A remote, unauthenticated attacker could exploit this flaw by sending a specially crafted HTTP request to a vulnerable device that is “acting as an SSL VPN Gateway.” Successful exploitation would grant an attacker arbitrary code execution on the device with root privileges.

CVE-2022-20700, CVE-2022-20701, CVE-2022-20702 are elevation of privilege vulnerabilities in the RV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345 and RV345P routers. According to Cisco, these vulnerabilities reside in the web-based management interface of its Cisco Small Business RV Series Routers. The most severe of these three flaws is CVE-2022-20700. A remote, unauthenticated attacker could exploit this vulnerability by “submitting specific commands” to a vulnerable device. Successful exploitation would elevate the attacker’s privileges, allowing them to execute arbitrary commands as root.

CVE-2022-20707, CVE-2022-20708 and CVE-2022-20749 are RCE vulnerabilities in the Cisco RV340, RV340W, RV345 and RV345P Dual WAN Gigabit Routers. The most severe of these three flaws is CVE-2022-20708. According to Cisco, all three vulnerabilities reside in the web-based management interface of these devices. A remote, unauthenticated attacker could exploit these vulnerabilities by sending a specially crafted input to a vulnerable device. Successful exploitation would grant an attacker arbitrary command execution privileges at the operating system level.

At least 8,400 RV34X devices are publicly accessible

According to searches conducted on Shodan, there are at least 8,400* publicly accessible RV34X devices.

Router Model
Results

RV345
1,706

RV345P
616

RV340W
607

RV340
5,472

Total
8,401

*These results were captured on February 2, 2022

Proof of concept

In its advisory, Cisco says they are aware of proofs-of-concept (PoC) exploits for several of the vulnerabilities patched. However, none of the PoCs were hosted on public repositories like GitHub at the time this blog was published.

Solution

Cisco has released fixes for all 15 vulnerabilities for the RV340 and RV345 Series Routers. For the RV160 and RV260 Series routers, five of the vulnerabilities have been addressed in firmware release 1.0.01.07. The Cisco advisory notes that the additional fixes are expected soon. We recommend referring to the advisory to stay up to date on additional patches and recommendations from Cisco.

Product Identifier
Vulnerable Version
Fixed Version

RV160, RV160W, RV260, RV260P, RV260W
1.0.01.05 and below
1.0.01.07

RV340, RV340W, RV345 and RV345P
1.0.03.24
1.0.03.26 and above

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Cisco Security Advisory

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More

Graham Cluley Security News is sponsored this week by the folks at HYPR. Thanks to the great team there for their support! A new guide provides practical guidance for eliminating passwords to accelerate your Zero Trust strategy, and explains how Zero Trust can increase business agility. The free guide, by the analysts at The Cyber … Continue reading “Zero trust with zero passwords – free guide explains what you need to know”

Read More

MIT Technology Review published an interview with Gil Herrera, the new head of the NSA’s Research Directorate. There’s a lot of talk about quantum computing, monitoring 5G networks, and the problems of big data:

The math department, often in conjunction with the computer science department, helps tackle one of NSA’s most interesting problems: big data. Despite public reckoning over mass surveillance, NSA famously faces the challenge of collecting such extreme quantities of data that, on top of legal and ethical problems, it can be nearly impossible to sift through all of it to find everything of value. NSA views the kind of “vast access and collection” that it talks about internally as both an achievement and its own set of problems. The field of data science aims to solve them.

“Everyone thinks their data is the messiest in the world, and mine maybe is because it’s taken from people who don’t want us to have it, frankly,” said Herrera’s immediate predecessor at the NSA, the computer scientist Deborah Frincke, during a 2017 talk at Stanford. “The adversary does not speak clearly in English with nice statements into a mic and, if we can’t understand it, send us a clearer statement.”

Making sense of vast stores of unclear, often stolen data in hundreds of languages and even more technical formats remains one of the directorate’s enduring tasks.

Read More

Who’s that new guy working at your company, and why don’t you recognise him from the interview? How are hacktivists raising the heat in Belarus? And should you be fully vaxxed for your online date?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

Read More

Gaining investment from business leaders to create a mature cybersecurity program and fund initiatives is an imperative for success in enterprise risk mitigation. All too often, security and IT organizations struggle to capture the attention of executives needed to advance their priorities and build even basic cybersecurity capabilities.

Year after year, important initiatives get deprioritized for other business initiatives, pushing out the adoption of important technologies or funding of headcount to manage critical processes. The result is an organization with increasing exposure to risk and unwanted cybersecurity challenges. Fundamental capabilities for effective security operations that improve visibility, such as a SIEM, are deemed too expensive.

What strategies can cybersecurity staff use to cut through the noise of competing business initiatives and get the focus and investment they need to achieve their objectives? Or to properly fund the adoption of a new technology or capability? 

One way is to build a reporting system that speaks executive language and abstracts difficult to understand technology into business concepts: risk, reward, performance objectives, metrics, and success. Simply establishing what the basic priorities of a cybersecurity program are and then formally reporting out on key performance indicators on a regular basis can have a profound impact. What an organization chooses to pay attention naturally grows. 

What is reported can vary from organization to organization, depending on the operating environment, the type of data transmitted and stored, and regulatory and compliance standards in play, to name a few. A guiding principle should be simplicity; too many data points create noise and inaction. At a minimum, many organizations will look at the attack surface, vulnerabilities and exposures, incidents, and employee training as a good starting point. 

Asset management

Asset management is at the core of every program. It’s impossible to guard what you don’t know or see, and yet most organizations fail to have a full grasp of their basic IT footprint. Every piece of hardware and software owned by an organization must be accounted for and every connection to its networks and infrastructure from ancillary systems monitored.

Shadow IT, Bring Your Own Device, and Work from Anywhere have exacerbated these challenges as traditional network edges evaporate and the flow of corporate data across untrusted networks and devices has become increasingly common. This complicated patch work is the corporation’s attack surface. Reporting the scope of that footprint, at the very least, demonstrates awareness of what matters to the organization.

Surprisingly, many organizations can’t easily quantify how many servers they own, the type of operating systems they run, the number of workstations and mobile devices they have, or even where their assets are at any given point in time. This knowledge is fundamental and reporting it regularly to executives ensures that they appreciate the scope of the program while also establishing a priority to keep data fresh and consistently update to date. 

Vulnerabilities and patch management

This is perhaps one of the most impactful KPIs, not only because it’s so important in protecting the enterprise, but because it’s a constantly moving target (NIST’s National Vulnerability Database boasts greater than 17,000 submitted CVEs just this year). The vast majority of data breaches (upwards of 90%) leverage exploitation of a known vulnerability.

An effective vulnerability management program should involve scanning to identify new vulnerabilities in their infrastructure on a regular basis. KPIs around this can include the number of existing vulnerabilities discovered in the organization over the reporting period, categorization by CVE, how quickly they are patched after discovery, and graphs that linearly show reduction in vulnerabilities over time.

Cyber incidents

A risk register that tracks every incident in the organization, its severity, the resolution, and lessons learned is a must. Raising awareness to incident quantity, associated impacts to the business, efforts to determine root cause, and mitigations are essential.

Many organizations lack even a fundamental classification system that is well understood across the company. Socializing with executives the incidents from the last reporting period reinforces a shared understanding of what constitutes a Level 1 versus a Level 4 incident, the organization’s expected response, who should be notified, etc. A KPI review keeps these classification systems top of mind and also improves overall organizational readiness when new incidents occur.

Employee training

Performance metrics can include the progress of employee training and awareness campaigns, structured training (online and in-person), initiatives that focus on core concepts (such as thinking before clicking, or how a clean desk is a cybersecurity priority), or the lessons learned from a recent tabletop exercise.

All make for great topics of discussion with executive stakeholders. Many organizations get fun and creative in this area, coming up with security mascots or even inter-business unit competitions.

Getting started

For organizations that are early in the KPI development journey, a great launch point is a Balanced Scorecard. This innovative approach to change management helps:

clarify vision, mission, and strategic themes
gain alignment and buy-in
break through organizational silos
define key objectives, initiatives, and success metrics
inform dashboard content

Initially designed by Dr. Robert Kaplan and Dr. David Norton for performance management, this framework can be valuable tool for a security team to organize their strategy and distill out simple measures of success. 

Cultivate curiosity 

Perhaps the best value of a KPI review is the simple act of cultivating curiosity. KPI reviews are an opportunity for executives to question the what and the why; to inquire more deeply. Provoking curiosity inherently creates focus, attention, and concern. Cultivating it is one of the powerful catalysts a security team can use in maturing cybersecurity program.

Many technologists, buried in complexities of engineering solutions and securing bits and bytes, underutilize this simple strategy to keep their priorities top of mind with business leaders. Cultivate curiosity, generate questions, and watch investment in your ideas and programs grow.

Read More

The IT systems of KP Snacks have been hit by ransomware. And it might well impact the British public’s waistlines as well as the company’s profits:

Read More