Patch now! Cisco VPN routers are vulnerable to remote control

Cisco has released a security advisory about several vulnerabilities in the Cisco Small Business RV series routers, covering the RV160, RV260, RV340, and RV345.

There are no workarounds available that address these vulnerabilities, so you need to patch.

Vulnerabilities

The vulnerabilities are dependent on one another—exploitation of one of the vulnerabilities may be required to exploit another vulnerability.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). You will find the ones included in these updates listed below.

CVE-2022-20842

CVE-2022-20842 is a vulnerability in the web-based management interface of the Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers. Exploitation of the vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition.

This vulnerability is due to insufficient validation of user-supplied input to the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP input to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition.

CVE-2022-20827

CVE-2022-20827 is a vulnerability in the web filter database update feature of Cisco Small Business RV160, RV260, RV340, and RV345 series routers. Exploitation of the vulnerability could allow an unauthenticated, remote attacker to perform a command injection and execute commands on the underlying operating system with root privileges.

This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by submitting crafted input to the web filter database update feature.

CVE-2022-20841

CVE-2022-20841 is a vulnerability in the Open Plug and Play (PnP) module of Cisco Small Business RV160, RV260, RV340, and RV345 series routers. Exploitation of the vulnerability could allow an unauthenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system.

This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious input to an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system. To exploit this vulnerability, an attacker must leverage a machine-in-the-middle position or have an established foothold on a specific network device connected to the affected router.

Input validation

After reading the vulnerability descriptions above you may wonder what “input validation” means, since the absence of it seems to be one of the underlying issues.

As you probably suspected, input validation is the name for the checks that are done on data being added to a system. It is necessary to ensure only properly formed data enters the workflow in an information system. When a system does not properly validate its inputs, it gives threat actors a chance to attempt several attacks, depending on the type of system.

The most common type is SQL injection, an attack used against databases. SQL commands are a mixture of actions (code) and things being acted upon (data). The external inputs that feed into SQL commands should only ever be interpreted as data. If they are interpreted as code then an attacker can inject input that changes the behaviour of an application’s SQL commands.

Insufficient input validation could allow an attacker to execute SQL commands that could destroy your database or provide the attacker with data stored in the database.

Mitigation

There are no workarounds that address these vulnerabilities but Cisco has released free software updates for them. Cisco states it is not aware of any public announcements or malicious use of the vulnerabilities. So, now is your chance to install those updates before that changes.

A list of releases in which these vulnerabilities have been fixed is available in the Cisco Security Advisory.

Stay safe, everyone!