Cisco Patches Critical Vulnerabilities in Small Business RV Routers
Cisco this week announced patches for multiple vulnerabilities in its Small Business RV160, RV260, RV340, and RV345 series routers, including critical bugs that could lead to the execution of arbitrary code with root privileges.
The most severe of these issues is CVE-2022-20699 (CVSS score of 10.0), as it allows an unauthenticated, remote attacker to execute arbitrary code on a vulnerable device. The bug exists because there aren’t sufficient boundary checks performed during the processing of specific HTTP requests.
“An attacker could exploit this vulnerability by sending malicious HTTP requests to the affected device that is acting as an SSL VPN Gateway. A successful exploit could allow the attacker to execute code with root privileges on the affected device,” Cisco explains in its advisory.
Cisco also released patches for three flaws in the web-based management interface of the Small Business RV routers, which could allow an attacker to escalate privileges to root and execute arbitrary commands on the device.
The three issues are tracked as CVE-2022-20700 (CVSS score of 10), CVE-2022-20701 (CVSS score of 9.0), and CVE-2022-20702 (CVSS score of 6.0). Because of insufficient authorization enforcement mechanisms, the flaws can be triggered by submitting specific commands to an affected device.
Another critical flaw was found in the software image verification feature of Cisco’s small business routers. Tracked as CVE-2022-20703 (CVSS score of 9.3), the bug could allow a local attacker “to install and boot a malicious software image or execute unsigned binaries on an affected device,” without authentication.
CVE-2022-20708 (CVSS score of 10.0) is another critical vulnerability that Cisco released patches for this week. Affecting the web-based management interface, the security error could be exploited to inject and execute commands on the device remotely, without authentication.
Two other similar issues were also addressed, though they have a severity rating of “high” (CVE-2022-20707 and CVE-2022-20749, CVSS score of 7.3).
“These vulnerabilities are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by sending malicious input to an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system,” Cisco explains.
Cisco’s advisory describes various other high- and medium-severity vulnerabilities in the RV series routers. The flaws can be exploited to inject and execute arbitrary commands, obtain partial administrative privileges, view or alter information shared with other devices, overwrite certain files, upload arbitrary files, cause a denial of service (DoS) condition, or execute arbitrary code.
Cisco has released software updates to address these vulnerabilities in RV340 and RV345 routers and encourages users to install them, as there are no workarounds to mitigate the bugs. Updates for RV160 and RV260 routers are expected to be released this month.
The company also warns of the public existence of proof-of-concept (PoC) exploit code targeting some of these vulnerabilities.