Cisco has patched 14 vulnerabilities affecting some of its Small Business RV Series routers, the worst of which may allow attackers to achieve unauthenticated remote code execution or execute arbitrary commands on the underlying Linux operating system.
“The Cisco PSIRT is aware that proof-of-concept exploit code is available for several of the vulnerabilities that are described in this advisory,” the company said in the accompanying security advisory. Luckily, the PoCs aren’t public – Cisco (mostly) refers to the exploits used by security researchers to “pwn” the Cisco RV340 router at the Pwn2Own hacking contest held in Austin, Texas, in November 2021.
About the vulnerabilities
The vulnerabilities affect Cisco Small Business RV160, RV260, RV340, and RV345 Series routers.
They have received consecutive CVE numbers starting with CVE-2022-20699 and ending with CVE-2022-20712. A final one has been marked CVE-2022-20749.
They may allow attackers to:
- Achieve RCE
- Elevate their privileges to root and execute commans
- Install and boot a malicious software image or execute unsigned binaries on an affected device
- View or alter information that is shared between an affected device and specific Cisco servers
- Defeat authentication protections and access the devices’s web UI
- Inject and execute arbitrary commands on the underlying operating system
- Upload arbitrary files to an affected device
- Cause a denial of service (DoS) condition in the login functionality of the web-based management interface
- Overwrite certain files on an affected device
“Some of the vulnerabilities are dependent on one another. Exploitation of one of the vulnerabilities may be required to exploit another vulnerability,” Cisco added.
Since there are no workarounds available, applying the provided security updates as soon as possible is advised.
The only temporary glitch in this plan is that while a security update for RV340 and RV345 Series routers is already available, the one for the RV160 and RV260 Series is still in the works and will be released sometime this month.
Credit: Source link