Cisco has released patches to fix 15 vulnerabilities in its Small Business V160, RV260, RV340, and RV345 Series Routers, several of which are critical flaws and three have the maximum CVSS severity score of 10/10. The vulnerabilities could be exploited to execute arbitrary code with root privileges, elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, and cause a denial of service. Cisco says some of the vulnerabilities are dependent on one another, and it may be necessary to exploit one to exploit another.
The three most serious vulnerabilities are tracked as CVE-2022-20699, CVE-2022-20700, and CVEE-2022-20709 and each has a CVSS severity score of 10 out of 10.
CVE-2022-20699 is present in the SSL VPN module of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers and allows an unauthenticated attacker to execute arbitrary code on vulnerable devices. The flaw is due to insufficient boundary checks when processing HTTP requests and can be exploited by sending malicious HTTP requests to a vulnerable router acting as an SL VPN Gateway.
CVE-2022-20700 (CVSS 10), CVE-2022-20701 (CVSS 9.0), and CVE-2022-20702 (CVSS 6.0) are flaws in the web-based management interface of Cisco Small Business RV Series Routers and are all due to insufficient authorization enforcement mechanisms. The vulnerabilities can be exploited by submitting specific commands to a vulnerable device and will allow an attacker to elevate privileges to root and execute arbitrary commands on a vulnerable system.
CVE-2022-20707 (CVSS 10), CVE-2022-20708 (CVSS 7.3), and CVE-2022-20749 (CVSS 7.3) are flaws in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers, and allow unauthenticated attackers to inject and execute arbitrary commands on the underlying Linux operating system. The flaws are due to insufficient validation of user-supplied input and can be exploited by sending malicious input to a vulnerable device.
CVE-2022-20703 (CVSS 9.3) is a flaw in the software image verification feature of Cisco Small Business RV Series Routers and could be exploited by an unauthenticated attacker to install and boot a malicious software image or execute unsigned binaries.
The remaining vulnerabilities are a mix of high- and medium-severity flaws and are tracked as CVE-2022-20704 (CVSS 4.8), CVE-2022-20705 (CVSS 5.3), CVE-2022-20706 (CVSS 8.3), CVE-2022-20706 (CVSS 5.3), CVE-2022-20710 (CVSS 5.3), CVE-2022-20711(CVSS 8.2), and CVE-2022-20712 (CVSS 7.3).
Cisco says there are no workarounds. The vulnerabilities must be fixed by updating the router software. The patches should be applied as soon as possible to prevent exploitation. Proof-of-concept exploits for some of the vulnerabilities are in the public domain.