Cisco inferno: Networking giant reveals three 10/10 rated critical router bugs

RV family of routers is in trouble, and fixed software is yet to arrive for some models


Cisco has revealed five critical bugs, three of them rated 10/10 on the Common Vulnerability Scoring System, that impact four of its router families aimed at small businesses. And it only has patches available for two of the affected ranges.

The flaws impact the RV160, RV260, RV340 and RV345 products, all of which can be abused with:

  • Arbitrary code execution;
  • Privilege elevation;
  • Execution of arbitrary commands;
  • Authentication and authorization protection bypasses;
  • Being made to fetch and run unsigned software;

If that's not enough to worry about, the boxes can also be made to create DDoS attacks.

The three 10/10-rated flaws are:

  • CVE-2022-20699 This one's the remote code execution flaw and exists thanks to insufficient boundary checks when processing specific HTTP requests. An attacker that sends malicious HTTP requests could execute code with root privileges.
  • CVE-2022-20700 A privilege escalation flaw present thanks to what Cisco describes as "insufficient authorization enforcement mechanisms." Backdoor conspiracy theorists, this one's for you – because Cisco says "An attacker could exploit these vulnerabilities by submitting specific commands to an affected device." CVE-2022-20701 and CVE-2022-20702, rated 9/10 and 6/10 respectively, also have privilege escalation powers.
  • CVE-2022-20708 The third 10/10 flaw allows command injection, and if an attacker sends the right input to a device they could execute arbitrary commands on the underlying Linux operating system.

Cisco's advisory lists 15 CVEs, another two of which are rated critical: the 9.3/10 CVE-2022-20703 and the 9/10 CVE-2022-20701.

Six of the other vulns have a High rating, meaning they've scored between 7.0 and 8.9 on the CVSS.

Cisco has updated software for the RV340 and RV345 series, but the RV160 and RV260 eagerly await their patches. The networking giant hasn't advised when that code will debut.

That lack of patches is scary, because Cisco admits it's aware that proof-of-concept exploit code is available for several of the vulnerabilities it has disclosed. Perhaps scarier still, given that small businesses often go without tech support – many customers may never be notified that these flaws exist, or have the skills to update a router.

On February 2, security firm Tenable ran a Shodan scan looking for the imperiled routers and found "at least 8,400 publicly accessible RV34X devices." Thankfully, the firm says it can't find any exploits for the devices on public repositories.

There's every chance that situation will quickly change – for the worse.

Being asked to do ad hoc tech support for friends and family is never fun. Might this triple dose of perfectly critical trouble be the moment to offer counsel? ®


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Cisco execs pledge simpler, more integrated networks
    Is this the end of Switchzilla's dashboard creep?

    Cisco Live In his first in-person Cisco Live keynote in two years, CEO Chuck Robbins didn't make any lofty claims about how AI is taking over the network or how the company's latest products would turn networking on its head. Instead, the presentation was all about working with customers to make their lives easier.

    "We need to simplify the things that we do with you. If I think back to eight or ten years ago, I think we've made progress, but we still have more to do," he said, promising to address customers' biggest complaints with the networking giant's various platforms.

    "Everything we find that is inhibiting your experience from being the best that it can be, we're going to tackle," he declared, appealing to customers to share their pain points at the show.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • Datacenter networks: You'll manage them from the cloud, eventually, claims Cisco
    Nexus portfolio undergoes cloudy Software-as-a-Service revamp

    Cisco's Nexus Cloud will eventually allow customers to manage their datacenter networks entirely from the cloud, says the networking giant.

    The company unveiled the latest addition to its datacenter-focused Nexus portfolio at Cisco Live this week, where the product set got a software-as-a-service (SaaS) revamp.

    "It's targeted at network operations teams that need to manage, or want to manage, their Nexus infrastructure as well as their public-cloud network infrastructure in one spot," Cisco's Thomas Scheibe – VP product management, cloud networking for Nexus & ACI product lines – told The Register.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • This startup says it can glue all your networks together in the cloud
    Or some approximation of that

    Multi-cloud networking startup Alkira has decided it wants to be a network-as-a-service (NaaS) provider with the launch of its cloud area networking platform this week.

    The upstart, founded in 2018, claims this platform lets customers automatically stitch together multiple on-prem datacenters, branches, and cloud workloads at the press of a button.

    The subscription is the latest evolution of Alkira’s multi-cloud platform introduced back in 2020. The service integrates with all major public cloud providers – Amazon Web Services, Google Cloud, Microsoft Azure, and Oracle Cloud – and automates the provisioning and management of their network services.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022