CVE-2022-20699, CVE-2022-20700, CVE-2022-20708: Critical Flaws in Cisco Small Business RV Series Routers
Cisco patches 15 flaws in Cisco Small Business RV Series Routers, including three with critical 10.0 CVSSv3 scores.
Update February 4: Cisco has updated their advisory to announce partial patches for the RV160 and RV260 Series Routers. The Solution section has been updated with this information.
Background
On February 2, Cisco published an advisory for 15 vulnerabilities in its Small Business RV Series Routers. Three of the 15 vulnerabilities listed in the advisory received a CVSSv3 score of 10.0, the highest possible rating.
| CVE | Type | CVSSv3 | Cisco BugIDs |
|---|---|---|---|
| CVE-2022-20699 | Remote Code Execution Vulnerability | 10.0 | CSCwa13836 |
| CVE-2022-20700 | Privilege Escalation Vulnerability | 10.0 | CSCwa14564, CSCwa14565 |
| CVE-2022-20701 | Privilege Escalation Vulnerability | 9.0 | CSCwa12836, CSCwa13119 |
| CVE-2022-20702 | Privilege Escalation Vulnerability | 6.0 | CSCwa15167, CSCwa15168 |
| CVE-2022-20703 | Digital Signature Verification Bypass Vulnerability | 9.3 | CSCwa12748, CSCwa13115 |
| CVE-2022-20704 | SSL Certificate Validation Vulnerability | 4.8 | CSCwa13205, CSCwa13682 |
| CVE-2022-20705 | Improper Session Management Vulnerability | 5.3 | CSCwa14601, CSCwa14602, CSCwa32432, CSCwa54598 |
| CVE-2022-20706 | Command Injection Vulnerability | 8.3 | CSCwa14007, CSCwa14008 |
| CVE-2022-20707 | Command Injection | 7.3 | CSCwa12732 |
| CVE-2022-20708 | Command Injection | 10.0 | CSCwa13900 |
| CVE-2022-20749 | Command Injection | 7.3 | CSCwa36774 |
| CVE-2022-20709 | Arbitrary File Upload | 5.3 | CSCwa13882 |
| CVE-2022-20710 | Denial of Service | 5.3 | CSCvz88279, CSCvz94704 |
| CVE-2022-20711 | Arbitrary File Overwrite | 8.2 | CSCwa13888 |
| CVE-2022-20712 | Remote Code Execution | 7.3 | CSCwa18769, CSCwa18770 |
Analysis
CVE-2022-20699 is a remote code execution (RCE) vulnerability in the Cisco RV340, RV340W, RV345 and RV345P Dual WAN Gigabit Routers. According to Cisco, the flaws exist due to an insufficient boundary check within the Secure Socket Layer Virtual Private Network (SSL VPN) module of these devices. A remote, unauthenticated attacker could exploit this flaw by sending a specially crafted HTTP request to a vulnerable device that is “acting as an SSL VPN Gateway.” Successful exploitation would grant an attacker arbitrary code execution on the device with root privileges.
CVE-2022-20700, CVE-2022-20701, CVE-2022-20702 are elevation of privilege vulnerabilities in the RV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345 and RV345P routers. According to Cisco, these vulnerabilities reside in the web-based management interface of its Cisco Small Business RV Series Routers. The most severe of these three flaws is CVE-2022-20700. A remote, unauthenticated attacker could exploit this vulnerability by “submitting specific commands” to a vulnerable device. Successful exploitation would elevate the attacker’s privileges, allowing them to execute arbitrary commands as root.
CVE-2022-20707, CVE-2022-20708 and CVE-2022-20749 are RCE vulnerabilities in the Cisco RV340, RV340W, RV345 and RV345P Dual WAN Gigabit Routers. The most severe of these three flaws is CVE-2022-20708. According to Cisco, all three vulnerabilities reside in the web-based management interface of these devices. A remote, unauthenticated attacker could exploit these vulnerabilities by sending a specially crafted input to a vulnerable device. Successful exploitation would grant an attacker arbitrary command execution privileges at the operating system level.
At least 8,400 RV34X devices are publicly accessible
According to searches conducted on Shodan, there are at least 8,400* publicly accessible RV34X devices.
| Router Model | Results |
|---|---|
| RV345 | 1,706 |
| RV345P | 616 |
| RV340W | 607 |
| RV340 | 5,472 |
| Total | 8,401 |
*These results were captured on February 2, 2022
Proof of concept
In its advisory, Cisco says they are aware of proofs-of-concept (PoC) exploits for several of the vulnerabilities patched. However, none of the PoCs were hosted on public repositories like GitHub at the time this blog was published.
Solution
Cisco has released fixes for all 15 vulnerabilities for the RV340 and RV345 Series Routers. For the RV160 and RV260 Series routers, five of the vulnerabilities have been addressed in firmware release 1.0.01.07. The Cisco advisory notes that the additional fixes are expected soon. We recommend referring to the advisory to stay up to date on additional patches and recommendations from Cisco.
| Product Identifier | Vulnerable Version | Fixed Version |
|---|---|---|
| RV160, RV160W, RV260, RV260P, RV260W | 1.0.01.05 and below | 1.0.01.07 |
| RV340, RV340W, RV345 and RV345P | 1.0.03.24 | 1.0.03.26 and above |
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.
Get more information
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
Related Articles
Cybersecurity Snapshot: How To Boost Customers' Trust in Your Digital Services
May 12, 2023Check out how beefing up digital trust in your technology yields key business benefits. Plus, a sophisticated cyber espionage operation has been defused. Also, why cyberattack victims should speak up. In addition, don’t miss our poll on mobile device security. And much more!
Cybersecurity Snapshot: 6 Things That Matter Right Now
June 17, 2022Key vulnerabilities you can’t ignore. Best practices to improve operational technology (OT) cybersecurity. A reality check on shift left, DevSecOps and cloud security. Tackling the security skills gap. Healthcare data breaches. And much more!
You’ve Migrated Business-Critical Functions to the Cloud…Now What?
April 20, 2022An expanding attack surface demands a robust cybersecurity strategy. Here’s what you need to know.
Securing Financial Data in the Cloud: How Tenable Can Help
November 4, 2024Preventing data loss, complying with regulations, automating workflows and managing access are four key challenges facing financial institutions. Learn how Tenable can help.
Cybersecurity Snapshot: Apply Zero Trust to Critical Infrastructure’s OT/ICS, CSA Advises, as Five Eyes Spotlight Tech Startups’ Security
November 1, 2024Should critical infrastructure orgs boost OT/ICS systems’ security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups. Plus, a survey finds “shadow AI” weakening data governance. And get the latest on MFA methods, CISO trends and Uncle Sam’s AI strategy.
FY 2024 State and Local Cybersecurity Grant Program Adds CISA KEV as a Performance Measure
October 31, 2024The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.
- Remote Workforce
- Risk-based Vulnerability Management
- Vulnerability Management