Critical flaws found in four Cisco SMB router ranges – for the second time this year
At least Switchzilla thinks they're salvageable, unlike the boxes it ordered binned back in June
Cisco has revealed four of its small business router ranges have critical flaws – for the second time in 2022 alone.
A Wednesday advisory warns owners of the RV160, RV260, RV340, and RV345 Series Routers that the vulnerabilities could allow "an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on an affected device."
The four ranges were whacked with three 10/10 bugs in February 2022.
This time around the worst of the bugs – CVE-2022-20842 – is rated 9.8/10 on the Common Vulnerability Scoring System (CVSS).
Exploitation of one vulnerability may be required to exploit another
Cisco says a vulnerability in the web-based management interface of the RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow execution of arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service condition. "This vulnerability is due to insufficient validation of user-supplied input to the web-based management interface," Cisco states.
- Cisco compresses Catalyst switches to compact size
- Cisco quits Moscow
- Cisco warns of security holes in its security appliances
CVE-2022-20827 is rated 9/10 and applies to all four of the abovementioned router ranges.
Cisco describes the flaw as "A vulnerability in the web filter database" that "could allow an unauthenticated, remote attacker to perform a command injection and execute commands on the underlying operating system with root privileges.
"This vulnerability is due to insufficient input validation," Cisco adds, and means an attacker submitting crafted input to the web filter database update feature and then execute commands on the underlying operating system with root privileges.
At a mere 8.3/10 CVE-2022-20841 is rated a mere "high" risk bug, rather than the "critical" status of the two CVEs mentioned above.
"This vulnerability is due to insufficient validation of user-supplied input,” states Cisco's explanation of the mess, once again. "An attacker could exploit this vulnerability by sending malicious input to an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system. To exploit this vulnerability, an attacker must leverage a man-in-the-middle position or have an established foothold on a specific network device that is connected to the affected router."
Patching all three flaws – ASAP – is advised because Cisco warns "The vulnerabilities are dependent on one another."
"Exploitation of one of the vulnerabilities may be required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities."
At least owners of the devices (should) have recent experience patching the borked boxen.
Another small mercy is that Cisco's not advised binning the products, as it did for its RV110W, RV130, RV130W, and RV215W routers only a couple of months ago.
Of course, users tired of updating small business routers might decide to do so without Cisco's suggestion. ®