Cisco Fixes Critical Remote Code Execution Bug in VPN Routers
Cisco has fixed critical security vulnerabilities affecting Small Business VPN routers and enabling unauthenticated, remote attackers to execute arbitrary code or commands and trigger denial of service (DoS) conditions on vulnerable devices.
The two security flaws tracked as CVE-2022-20842 and CVE-2022-20827 were found in the web-based management interfaces and the web filter database update feature, and are both caused by insufficient input validation.
Successful exploitation of CVE-2022-20842 with crafted HTTP input could allow attackers “to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition,” the company explains.
CVE-2022-20827 exploits by submitting crafted input to the web filter database update feature can let threat actors “execute commands on the underlying operating system with root privileges.”
The complete list of routers affected by these bugs includes Small Business RV160, RV260, RV340, and RV345 series VPN routers (CVE-2022-20842 only impacts the last two).
|Affected by CVE-2022-20827||Affected Releases||First Fixed Release|
|RV160 and RV260 Series Routers||Earlier than 1.0.01.05||Not vulnerable|
|RV160 and RV260 Series Routers||1.0.01.05||1.0.01.09|
|RV340 and RV345 Series Routers||Earlier than 1.0.03.26||Not vulnerable|
|RV340 and RV345 Series Routers||1.0.03.26||1.0.03.28|
|Affected by CVE-2022-20842||Affected Releases||First Fixed Release|
|RV340 and RV345 Series Routers||1.0.03.26 and earlier||1.0.03.28|
Both flaws are exploitable remotely without requiring authentication in attacks that don’t require user interaction.
Cisco has released software updates to address both vulnerabilities and says there are no workarounds to remove the attack vectors.
No in-the-wild exploitation
These security vulnerabilities were found by security researchers with the IoT Inspector Research Lab, the Chaitin Security Research Lab, and the CLP-team.
The company’s Product Security Incident Response Team (PSIRT) said Cisco is unaware of active exploitation or publicly available exploits in the wild.
Today, Cisco has also patched a third, high severity bug (CVE-2022-20841) in the Open Plug and Play (PnP) module of RV160, RV260, RV340, and RV345 series routers.
If unpatched, this flaw can let attackers execute arbitrary commands on the underlying Linux operating system by sending malicious input to unpatched devices.
However, it also requires the threat actor to “leverage a man-in-the-middle position or have an established foothold on a specific network device that is connected to the affected router.”
Last month, Cisco addressed another set of severe security bugs in the Cisco Nexus Dashboard data center management solution that let unauthenticated attackers execute commands and perform actions remotely with root or Administrator privileges.