Cisco fixes critical bugs in RV routers, exploit code available


Cisco has released patches for multiple vulnerabilities in the Small Business RV Series router platform that could allow remote attackers to gain complete control over the device, in many cases, without authentication.

In total, there are fifteen vulnerabilities fixed by these security updates, with five of them rated as Critical as threat actors can use them to gain ‘root’ privileges or remotely execute commands on the device.

According to the advisory, an attacker exploiting these flaws could execute arbitrary code, elevate privileges, run commands, bypass authentication protections, retrieve and execute unsigned software, and cause a denial of service (DoS) condition.

Numerous critical flaws

Cisco’s advisory notes that multiple security vulnerabilities have been classified as ‘Critical’ due to the ease of exploitation and potential for abuse.

The most significant vulnerabilities in terms of their severity are:

CVE-2022-20699: A code execution flaw in the SSL VPN module caused by an insufficient boundary check when processing specific HTTP requests. (CVSS v3 score 10.0)

CVE-2022-20700 and CVE-2022-20701: Privilege escalation (up to root) flaws in the router’s web-based management interface, which suffers from insufficient authorization enforcement mechanisms. (CVSS v3 score 10.0 and 9.0 respectively)

CVE-2022-20703: A signature verification bypass vulnerability in the software image verification feature, relying on the improper verification of software images installed on the affected device. (CVSS v3 score 9.3)

CVE-2022-20708: Command injection flaw in the web-based management interface of the routers, which suffers from insufficient user-supplied input validation. (CVSS v3 score 10.0)

Cisco warns that some of these vulnerabilities need to be chained together to exploit an RV series router.

“Some of the vulnerabilities are dependent on one another. Exploitation of one of the vulnerabilities may be required to exploit another vulnerability,” explains the Cisco advisory.

The vulnerabilities tracked CVE-2022-20700, CVE-2022-20701, CVE-2022-20702, CVE-2022-20703, CVE-2022-20704, CVE-2022-20705, CVE-2022-20706, CVE-2022-20710, and CVE-2022-20712 affect:

  • RV160 VPN Routers
  • RV160W Wireless-AC VPN Routers
  • RV260 VPN Routers
  • RV260P VPN Routers with PoE
  • RV260W Wireless-AC VPN Routers
  • RV340 Dual WAN Gigabit VPN Routers
  • RV340W Dual WAN Gigabit Wireless-AC VPN Routers
  • RV345 Dual WAN Gigabit VPN Routers
  • RV345P Dual WAN Gigabit POE VPN Routers

The CVE-2022-20699, CVE-2022-20707, CVE-2022-20708, CVE-2022-20709, CVE-2022-20711, and CVE-2022-20749 vulnerabilities only affect the following Cisco products:

  • RV340 Dual WAN Gigabit VPN Routers
  • RV340W Dual WAN Gigabit Wireless-AC VPN Routers
  • RV345 Dual WAN Gigabit VPN Routers
  • RV345P Dual WAN Gigabit POE VPN Routers

Even if your product isn’t affected by any critical vulnerabilities, there’s always a chance that threat actors will chain several less severe flaws to achieve high-impact attacks.

If you’re using any of the products listed above, it is highly recommended to apply the security updates as soon as possible.

PoC exploits available

The Cisco “Product Security Incident Response Team (PSIRT) states that they are aware of proof-of-concept exploit code available for several of the vulnerabilities fixed in these updates.

The CVE-2022-20699 vulnerability was discovered and used by the FlashBack Team during the Pwn2Own Austin 2021 hacking contest.

FlashBack’s Pedro Ribeiro says they will be demonstrating the exploit and releasing a public PoC as part of their talk at OffensiveCon 2022 titled “Pwn2Own’ing Your Router Over the Internet.

It is unknown what PoC exploits are available for the other vulnerabilities, however once security updates are released, these PoCs tend to become publicly fairly quickly.

Once they are public, threat actors will quickly utilize them in attacks, making it important to update any RV routers as soon as possible.