Cisco has uncovered five critical flaws, three of which have a 10/10 rating on the Common Vulnerability Scoring System, affecting four of its router family targeted at small businesses. And patches are only available for two of the affected areas.
The bugs affect the RV160, RV260, RV340 and RV345 products, all of which can be abused with:
- execution of arbitrary code;
- privilege elevation;
- execution of any command;
- bypassing authentication and authorization protections;
- Made to retrieve and run unsigned software;
If that’s not enough to worry about, the boxes can also be tricked into creating DDoS attacks.
The three defects rated 10/10 are:
- CVE-2022-20699 This is the remote code execution bug and exists due to insufficient boundary checks when processing certain HTTP requests. An attacker sending malicious HTTP requests could run code with root privileges.
- CVE-2022-20700 A privilege escalation bug that exists thanks to what Cisco describes as “inadequate authorization enforcement mechanisms.” Backdoor conspiracy theorists, this is for you – because Cisco says, “An attacker could exploit these vulnerabilities by sending specific commands to an affected device.” CVE-2022-20701 and CVE-2022-20702, rated 9/10 and 6/10, also have rights escalation powers.
- CVE-2022-20708 The third 10/10 bug allows command injection, and if an attacker sends the right input to a device, they can run arbitrary commands on the underlying Linux operating system.
Cisco’s advisory lists 15 CVEs, with two more classified as critical: the 9.3/10 CVE-2022-20703 and the 9/10 CVE-2022-20701.
Six of the other vulnerabilities have a high rating, meaning they scored between 7.0 and 8.9 on the CVSS.
Cisco has updated the software for the RV340 and RV345 series, but the RV160 and RV260 are eagerly awaiting their patches. The network giant hasn’t revealed when this code will appear.
This lack of patches is worrying, as Cisco admits it is aware that proof-of-concept exploit code is available for several of the disclosed vulnerabilities. Perhaps even more frightening when you consider that small businesses often get by without technical support — many customers may never be notified that these errors exist, or have the skills to update a router.
On February 2, security firm Tenable ran a Shodan scan looking for the compromised routers and found “at least 8,400 public-facing RV34X devices.” Fortunately, the company says it can’t find any exploits for the devices in public repositories.
There is a possibility that the situation will change quickly – for the worse.
asked to do ad hoc Tech support for friends and family is never fun. Could this triple dose of absolutely critical issues be the moment to offer advice? ®