Executive Summary

Cisco has supplied patches which address multiple vulnerabilities for their Small Business routers. Three of these vulnerabilities could be used by an unauthenticated attacker to remotely execute code on the device, or cause denial of service to the device.

What’s the risk to me or my business?

The critical vulnerability relates to the web-based management interface, which can lead to the full compromise of the device. As these devices are on the network perimeter, compromise of these devices can lead to further breaches of other networked systems and data.

What can I do?

Cisco has released software updates to address the vulnerabilities, which are available for download from their website, and should be applied out of band where possible, due to the severity of this issue.

Technical Summary

The following is a breakdown of the vulnerabilities with the affected Cisco products.

CVE-2022-20842: A remote code execution vulnerability with a CVSS 3.0 rating of 9.8, which allows a malicious attacker to exploit insufficient validation on user-supplied input by providing a crafted HTTP input to an affected device, allowing them to execute arbitrary code as the root user, or reload the device resulting in DOS. Affected devices:

·         RV340 Dual WAN Gigabit VPN Routers

·         RV340W Dual WAN Gigabit Wireless-AC VPN Routers

·         RV345 Dual WAN Gigabit VPN Routers

·         RV345P Dual WAN Gigabit POE VPN Routers

CVE-2022-20827: A command injection vulnerability with a CVSS 3.0 rating of 9.0, which allows a malicious attacker to exploit insufficient validation on the web filter database update feature, to perform command injection and execute commands with root privileges. Affected devices:

·         RV160 VPN Routers

·         RV160W Wireless-AC VPN Routers

·         RV260 VPN Routers

·         RV260P VPN Routers with PoE

·         RV260W Wireless-AC VPN Routers

·         RV340 Dual WAN Gigabit VPN Routers

·         RV340W Dual WAN Gigabit Wireless-AC VPN Routers

·         RV345 Dual WAN Gigabit VPN Routers

·         RV345P Dual WAN Gigabit POE VPN Routers

CVE-2022-20841: A command injection vulnerability with a CVSS 3.0 rating of 8.3, which allows a malicious attacker to exploit insufficient validation on the Open Plug and Play command, to perform command injection and execute commands on the underlying operating system via a man-in-the-middle attack or from another compromised device on the network. Affected devices:

·         RV160 VPN Routers

·         RV160W Wireless-AC VPN Routers

·         RV260 VPN Routers

·         RV260P VPN Routers with PoE

·         RV260W Wireless-AC VPN Routers

·         RV340 Dual WAN Gigabit VPN Routers

·         RV340W Dual WAN Gigabit Wireless-AC VPN Routers

·         RV345 Dual WAN Gigabit VPN Routers

·         RV345P Dual WAN Gigabit POE VPN Routers

Further technical information including links to software patches for specific affected devices can be found here: Cisco Small Business RV Series Routers Vulnerabilities

Need help understanding your gaps, or just want some advice? Get in touch with us.