Multiple Vulnerabilities in Cisco Products Could Allow for Arbitrary Code Execution

by CIRT Team

09 Feb 2022

in Security Advisories & Alerts

No Comments

2020

DESCRIPTION:
Multiple vulnerabilities have been discovered in Cisco Products, the
most severe of which could allow for arbitrary code execution.
Successful exploitation of the most severe of these vulnerabilities
could allow an unauthenticated, remote attacker to execute code on the
affected systems. Depending on the privileges associated with the
targeted user, an attacker could then install programs; view, change, or
delete data; or create new accounts with full user rights. Users
configured to have fewer privileges on the system could be less impacted
than those who operate with elevated privileges.

IMPACT:
Multiple vulnerabilities have been discovered in Cisco Products where
successful exploitation of the most severe could allow for arbitrary
code execution. Details of the vulnerabilities are as follows:

* A vulnerability in the SSL VPN module of Cisco Small Business RV340,
RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an
unauthenticated, remote attacker to execute arbitrary code on an
affected device. (CVE-2022-20699, CWE-285)

* Multiple vulnerabilities in the web-based management interface of
Cisco Small Business RV Series Routers could allow a remote attacker to
elevate privileges to root. (CVE-2022-20700, CVE-2022-20701,
CVE-2022-20702 and CWE-269)
* A vulnerability in the software image verification feature of Cisco
Small Business RV Series Routers could allow an unauthenticated, local
attacker to install and boot a malicious software image or execute
unsigned binaries on an affected device. (CVE-2022-20703 and CWE-434)
* A vulnerability in the software upgrade module of Cisco Small Business
RV Series Routers could allow an unauthenticated, remote attacker to
view or alter information that is shared between an affected device and
specific Cisco servers (cloudsso.cisco.com and api.cisco.com).
(CVE-2022-20704 and CWE-552)
* A vulnerability in the session management of the web UI of Cisco Small
Business RV Series Routers could allow an unauthenticated, remote
attacker to defeat authentication protections and access the web UI. The
attacker could obtain partial administrative privileges and perform
unauthorized actions. (CVE-2022-20705, CWE-285)
* A vulnerability in the Open Plug and Play (PnP) module of Cisco Small
Business RV Series Routers could allow an unauthenticated, remote
attacker to inject and execute arbitrary commands on the underlying
operating system. (CVE-2022-20706, CWE-77)
* Multiple vulnerabilities in the web-based management interface of
Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit
VPN Routers could allow an unauthenticated, remote attacker to inject
and execute arbitrary commands on the underlying operating system.
(CVE-2022-20707, CVE-2022-20708, CVE-2022-20749, CWE-77)
* A vulnerability in the web-based management interface of Cisco RV340,
RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an
unauthenticated, remote attacker to upload arbitrary files to an
affected device. (CVE-2022-20709, CWE-434)
* A vulnerability in the internal interprocess communication of Cisco
Small Business RV Series Routers could allow an unauthenticated, remote
attacker to cause a denial of service (DoS) condition in the login
functionality of the web-based management interface. (CVE-2022-20710,
CWE-785)
* A vulnerability in the web UI of Cisco RV340, RV340W, RV345, and
RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated,
remote attacker to overwrite certain files on an affected device.
(CVE-2022-20711, CWE-785)
* A vulnerability in the upload module of Cisco Small Business RV Series
Routers could allow an unauthenticated, remote attacker to execute
arbitrary code on an affected device. (CVE-2022-20712, CWE-77)

Successful exploitation of the most severe of these vulnerabilities
could allow for arbitrary code execution in the context of the targeted
user. Depending on the privileges associated with the user, an attacker
could then install programs; view, change, or delete data; or create new
accounts with full user rights. Users whose accounts are configured to
have fewer user rights on the system could be less impacted than those
who operate with administrative user rights.

SYSTEM AFFECTED:
* RV160 VPN Routers
* RV160W Wireless-AC VPN Routers
* RV260 VPN Routers
* RV260P VPN Routers with PoE
* RV260W Wireless-AC VPN Routers
* RV340 Dual WAN Gigabit VPN Routers
* RV340W Dual WAN Gigabit Wireless-AC VPN Routers
* RV345 Dual WAN Gigabit VPN Routers
* RV345P Dual WAN Gigabit POE VPN Routers

RECOMMENDATIONS:
We recommend the following actions be taken:

* Install the update provided by Cisco immediately after appropriate
testing.
* Run all software as a non-privileged user (one without administrative
privileges) to diminish the effects of a successful attack.
* Remind users not to visit websites or follow links provided by unknown
or untrusted sources.
* Inform and educate users regarding the threats posed by hypertext
links contained in emails or attachments especially from un-trusted sources.
* Apply the Principle of Least Privilege to all systems and services.