Cisco has revealed five critical bugs, three of them rated 10/10 on the Common Vulnerability Scoring System, that impact four of its router families aimed at small businesses. And it only has patches available for two of the affected ranges.
The flaws impact the RV160, RV260, RV340 and RV345 products, all of which can be abused with:
- Arbitrary code execution;
- Privilege elevation;
- Execution of arbitrary commands;
- Authentication and authorization protection bypasses;
- Being made to fetch and run unsigned software;
If that’s not enough to worry about, the boxes can also be made to create DDoS attacks.
The three 10/10-rated flaws are:
- CVE-2022-20699 This one’s the remote code execution flaw and exists thanks to insufficient boundary checks when processing specific HTTP requests. An attacker that sends malicious HTTP requests could execute code with root privileges.
- CVE-2022-20700 A privilege escalation flaw present thanks to what Cisco describes as “insufficient authorization enforcement mechanisms.” Backdoor conspiracy theorists, this one’s for you – because Cisco says “An attacker could exploit these vulnerabilities by submitting specific commands to an affected device.” CVE-2022-20701 and CVE-2022-20702, rated 9/10 and 6/10 respectively, also have privilege escalation powers.
- CVE-2022-20708 The third 10/10 flaw allows command injection, and if an attacker sends the right input to a device they could execute arbitrary commands on the underlying Linux operating system.
Cisco’s advisory lists 15 CVEs, another two of which are rated critical: the 9.3/10 CVE-2022-20703 and the 9/10 CVE-2022-20701.
Six of the other vulns have a High rating, meaning they’ve scored between 7.0 and 8.9 on the CVSS.
Cisco has updated software for the RV340 and RV345 series, but the RV160 and RV260 eagerly await their patches. The networking giant hasn’t advised when that code will debut.
That lack of patches is scary, because Cisco admits it’s aware that proof-of-concept exploit code is available for several of the vulnerabilities it has disclosed. Perhaps scarier still, given that small businesses often go without tech support – many customers may never be notified that these flaws exist, or have the skills to update a router.
On February 2, security firm Tenable ran a Shodan scan looking for the imperiled routers and found “at least 8,400 publicly accessible RV34X devices.” Thankfully, the firm says it can’t find any exploits for the devices on public repositories.
There’s every chance that situation will quickly change – for the worse.
Being asked to do ad hoc tech support for friends and family is never fun. Might this triple dose of perfectly critical trouble be the moment to offer counsel? ®