Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CVE-2022-20699, CVE-2022-20700, CVE-2022-20708: Critical Flaws in Cisco Small Business RV Series Routers

Cisco patches 15 flaws in Cisco Small Business RV Series Routers, including three with critical 10.0 CVSSv3 scores.

Update February 4: Cisco has updated their advisory to announce partial patches for the RV160 and RV260 Series Routers. The Solution section has been updated with this information.

Background

On February 2, Cisco published an advisory for 15 vulnerabilities in its Small Business RV Series Routers. Three of the 15 vulnerabilities listed in the advisory received a CVSSv3 score of 10.0, the highest possible rating.

CVE Type CVSSv3 Cisco BugIDs
CVE-2022-20699 Remote Code Execution Vulnerability 10.0 CSCwa13836
CVE-2022-20700 Privilege Escalation Vulnerability 10.0 CSCwa14564, CSCwa14565
CVE-2022-20701 Privilege Escalation Vulnerability 9.0 CSCwa12836, CSCwa13119
CVE-2022-20702 Privilege Escalation Vulnerability 6.0 CSCwa15167, CSCwa15168
CVE-2022-20703 Digital Signature Verification Bypass Vulnerability 9.3 CSCwa12748, CSCwa13115
CVE-2022-20704 SSL Certificate Validation Vulnerability 4.8 CSCwa13205, CSCwa13682
CVE-2022-20705 Improper Session Management Vulnerability 5.3 CSCwa14601, CSCwa14602, CSCwa32432, CSCwa54598
CVE-2022-20706 Command Injection Vulnerability 8.3 CSCwa14007, CSCwa14008
CVE-2022-20707 Command Injection 7.3 CSCwa12732
CVE-2022-20708 Command Injection 10.0 CSCwa13900
CVE-2022-20749 Command Injection 7.3 CSCwa36774
CVE-2022-20709 Arbitrary File Upload 5.3 CSCwa13882
CVE-2022-20710 Denial of Service 5.3 CSCvz88279, CSCvz94704
CVE-2022-20711 Arbitrary File Overwrite 8.2 CSCwa13888
CVE-2022-20712 Remote Code Execution 7.3 CSCwa18769, CSCwa18770

Analysis

CVE-2022-20699 is a remote code execution (RCE) vulnerability in the Cisco RV340, RV340W, RV345 and RV345P Dual WAN Gigabit Routers. According to Cisco, the flaws exist due to an insufficient boundary check within the Secure Socket Layer Virtual Private Network (SSL VPN) module of these devices. A remote, unauthenticated attacker could exploit this flaw by sending a specially crafted HTTP request to a vulnerable device that is “acting as an SSL VPN Gateway.” Successful exploitation would grant an attacker arbitrary code execution on the device with root privileges.

CVE-2022-20700, CVE-2022-20701, CVE-2022-20702 are elevation of privilege vulnerabilities in the RV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345 and RV345P routers. According to Cisco, these vulnerabilities reside in the web-based management interface of its Cisco Small Business RV Series Routers. The most severe of these three flaws is CVE-2022-20700. A remote, unauthenticated attacker could exploit this vulnerability by “submitting specific commands” to a vulnerable device. Successful exploitation would elevate the attacker’s privileges, allowing them to execute arbitrary commands as root.

CVE-2022-20707, CVE-2022-20708 and CVE-2022-20749 are RCE vulnerabilities in the Cisco RV340, RV340W, RV345 and RV345P Dual WAN Gigabit Routers. The most severe of these three flaws is CVE-2022-20708. According to Cisco, all three vulnerabilities reside in the web-based management interface of these devices. A remote, unauthenticated attacker could exploit these vulnerabilities by sending a specially crafted input to a vulnerable device. Successful exploitation would grant an attacker arbitrary command execution privileges at the operating system level.

At least 8,400 RV34X devices are publicly accessible

According to searches conducted on Shodan, there are at least 8,400* publicly accessible RV34X devices.

Router Model Results
RV345 1,706
RV345P 616
RV340W 607
RV340 5,472
Total 8,401

*These results were captured on February 2, 2022

Proof of concept

In its advisory, Cisco says they are aware of proofs-of-concept (PoC) exploits for several of the vulnerabilities patched. However, none of the PoCs were hosted on public repositories like GitHub at the time this blog was published.

Solution

Cisco has released fixes for all 15 vulnerabilities for the RV340 and RV345 Series Routers. For the RV160 and RV260 Series routers, five of the vulnerabilities have been addressed in firmware release 1.0.01.07. The Cisco advisory notes that the additional fixes are expected soon. We recommend referring to the advisory to stay up to date on additional patches and recommendations from Cisco.

Product Identifier Vulnerable Version Fixed Version
RV160, RV160W, RV260, RV260P, RV260W 1.0.01.05 and below 1.0.01.07
RV340, RV340W, RV345 and RV345P 1.0.03.24 1.0.03.26 and above

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

tenable.io

FREE FOR 30 DAYS


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

FREE FOR 30 DAYS Enjoy full access to detect and fix cloud infrastructure misconfigurations in the design, build and runtime phases of your software development lifecycle.

Buy Tenable.cs

Contact a Sales Representative to learn more about Cloud Security and how you can secure every step from code to cloud.