Cisco patches 15 flaws in Cisco Small Business RV Series Routers, including three with critical 10.0 CVSSv3 scores.
Update February 4: Cisco has updated their advisory to announce partial patches for the RV160 and RV260 Series Routers. The Solution section has been updated with this information.
Background
On February 2, Cisco published an advisory for 15 vulnerabilities in its Small Business RV Series Routers. Three of the 15 vulnerabilities listed in the advisory received a CVSSv3 score of 10.0, the highest possible rating.
CVE
Type
CVSSv3
Cisco BugIDs
CVE-2022-20699
Remote Code Execution Vulnerability
10.0
CSCwa13836
CVE-2022-20700
Privilege Escalation Vulnerability
10.0
CSCwa14564, CSCwa14565
CVE-2022-20701
Privilege Escalation Vulnerability
9.0
CSCwa12836, CSCwa13119
CVE-2022-20702
Privilege Escalation Vulnerability
6.0
CSCwa15167, CSCwa15168
CVE-2022-20703
Digital Signature Verification Bypass Vulnerability
9.3
CSCwa12748, CSCwa13115
CVE-2022-20704
SSL Certificate Validation Vulnerability
4.8
CSCwa13205, CSCwa13682
CVE-2022-20705
Improper Session Management Vulnerability
5.3
CSCwa14601, CSCwa14602, CSCwa32432, CSCwa54598
CVE-2022-20706
Command Injection Vulnerability
8.3
CSCwa14007, CSCwa14008
CVE-2022-20707
Command Injection
7.3
CSCwa12732
CVE-2022-20708
Command Injection
10.0
CSCwa13900
CVE-2022-20749
Command Injection
7.3
CSCwa36774
CVE-2022-20709
Arbitrary File Upload
5.3
CSCwa13882
CVE-2022-20710
Denial of Service
5.3
CSCvz88279, CSCvz94704
CVE-2022-20711
Arbitrary File Overwrite
8.2
CSCwa13888
CVE-2022-20712
Remote Code Execution
7.3
CSCwa18769, CSCwa18770
Analysis
CVE-2022-20699 is a remote code execution (RCE) vulnerability in the Cisco RV340, RV340W, RV345 and RV345P Dual WAN Gigabit Routers. According to Cisco, the flaws exist due to an insufficient boundary check within the Secure Socket Layer Virtual Private Network (SSL VPN) module of these devices. A remote, unauthenticated attacker could exploit this flaw by sending a specially crafted HTTP request to a vulnerable device that is “acting as an SSL VPN Gateway.” Successful exploitation would grant an attacker arbitrary code execution on the device with root privileges.
CVE-2022-20700, CVE-2022-20701, CVE-2022-20702 are elevation of privilege vulnerabilities in the RV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345 and RV345P routers. According to Cisco, these vulnerabilities reside in the web-based management interface of its Cisco Small Business RV Series Routers. The most severe of these three flaws is CVE-2022-20700. A remote, unauthenticated attacker could exploit this vulnerability by “submitting specific commands” to a vulnerable device. Successful exploitation would elevate the attacker’s privileges, allowing them to execute arbitrary commands as root.
CVE-2022-20707, CVE-2022-20708 and CVE-2022-20749 are RCE vulnerabilities in the Cisco RV340, RV340W, RV345 and RV345P Dual WAN Gigabit Routers. The most severe of these three flaws is CVE-2022-20708. According to Cisco, all three vulnerabilities reside in the web-based management interface of these devices. A remote, unauthenticated attacker could exploit these vulnerabilities by sending a specially crafted input to a vulnerable device. Successful exploitation would grant an attacker arbitrary command execution privileges at the operating system level.
At least 8,400 RV34X devices are publicly accessible
According to searches conducted on Shodan, there are at least 8,400* publicly accessible RV34X devices.
Router Model
Results
RV345
1,706
RV345P
616
RV340W
607
RV340
5,472
Total
8,401
*These results were captured on February 2, 2022
Proof of concept
In its advisory, Cisco says they are aware of proofs-of-concept (PoC) exploits for several of the vulnerabilities patched. However, none of the PoCs were hosted on public repositories like GitHub at the time this blog was published.
Solution
Cisco has released fixes for all 15 vulnerabilities for the RV340 and RV345 Series Routers. For the RV160 and RV260 Series routers, five of the vulnerabilities have been addressed in firmware release 1.0.01.07. The Cisco advisory notes that the additional fixes are expected soon. We recommend referring to the advisory to stay up to date on additional patches and recommendations from Cisco.
Product Identifier
Vulnerable Version
Fixed Version
RV160, RV160W, RV260, RV260P, RV260W
1.0.01.05 and below
1.0.01.07
RV340, RV340W, RV345 and RV345P
1.0.03.24
1.0.03.26 and above
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.
Get more information
Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
More Stories
UK police reveal they are running fake DDoS-for-hire sites to collect details on cybercriminals
There's bad news if you're someone who is keen to launch a Distributed Denial-of-Service (DDoS) attack to boot a website...
Microsoft Fixes Security Flaw in Windows Screenshot Tools
Information disclosure vulnerability aCropalypse could enable malicious actors to recover sections of screenshots Read More
Three Variants of IcedID Malware Discovered
The new variants hint that considerable effort is going into the future of IcedID and its codebase Read More
New MacStealer Targets Catalina, Newer MacOS Versions
The malware can extract information from documents, browser cookies and login information Read More
Can zero trust be saved?
Graham Cluley Security News is sponsored this week by the folks at Kolide. Thanks to the great team there for...
Part of Twitter source code leaked on GitHub
Part of Twitter’s source code has been leaked and posted on GitHub by an unknown user. GitHub took down the...