Cisco releases patches to fix critical bugs affecting four SMB router families
Cisco disclosed 15 bugs, of which three have received a CVSS v3 score of 10 out of 10
Cisco Systems on Wednesday released security patches to fix multiple security vulnerabilities in the company's RV series small-business routers that could enable attackers to do everything from remote code execution (RCE) to accessing corporate networks, without authentication in many cases.
In total, Cisco disclosed 15 different vulnerabilities in its latest security advisory.
According to the company, five of these bugs are rated as 'Critical' as they could allow malicious actors to gain 'root' privileges or remotely execute commands on a vulnerable device.
Other bugs could enable attackers to evade authentication protections, run unsigned software, and cause a denial of service (DoS) condition.
Cisco's RV series is a set of affordable VPN appliances that come with built-in firewalls, authentication features and advanced encryption and enable remote workers to connect to a company network.
According to Cisco, 15 vulnerabilities disclosed this week variably impact the RV160, RV260, RV340 and RV345 series routers.
Some of the bugs are exploitable on their own, while others need to be chained together in order to be abused by malicious actors.
Three Critical bugs that received CVSS v3 score of 10 out of 10 are CVE-2022-20699, CVE-2022-20700 and CVE-2022-20708.
CVE-2022-20699 is a RCE bug in the SSL VPN module which is caused as a result of insufficient boundary checks when processing specific HTTP requests. According to Cisco, a malicious actor could exploit this bug to execute code with root privileges after sending malicious HTTP requests.
CVE-2022-20700, a privilege escalation vulnerability in in the router's web-based management interface, arises as a result of 'insufficient authorisation enforcement mechanism' and could be exploited by submitting specific commands to a vulnerable device.
The third 10/10 bug is CVE-2022-20708, which could enable an attacker to achieve command injection and run arbitrary commands on the underlying Linux operating system by sending the right input to an affected device.
The other two Critical-rated flaws are CVE-2022-20703 and CVE-2022-20701 that received CVSS scores of 9.3/10 and 9/10, respectively.
While CVE-2022-20703 is a signature verification bypass vulnerability in the software image verification feature, CVE-2022-20701 is a privilege escalation flaw that arises due to insufficient authorisation enforcement mechanism.
Other vulnerabilities disclosed by Cisco are: CVE-2022-20702, CVE-2022-20704, CVE-2022-20705, CVE-2022-20706, CVE-2022-20707, CVE-2022-20709, CVE-2022-20710, CVE-2022-20711, CVE-2022-20712, and CVE-2022-20749.
So far, Cisco has updated software for the RV340 and RV345 series only, and RV160 and RV260 are yet to receive the patches.
The Cisco researchers said that they are aware of proof-of-concept (PoC) exploit code available for many of the bugs fixed in the security updates.
In a blog post, security firm Tenable said it ran a Shodan scan this week to search for vulnerable routers, and found that at least 8,400 RV34X devices were publicly accessible.
Cisco is now advising admins to update their RV routers as soon as possible in order to protect their devices and networks from attacks by malicious actors.