Cisco has fixed critical vulnerabilities affecting small business VPN routers that could allow remote, unauthenticated attackers to execute arbitrary code or commands, or cause a denial of service on vulnerable devices.
In total, the company announced the elimination of eight vulnerabilities, three of which are related to routers. In addition, Cisco has fixed five bugs affecting Webex Meetings, Identity Services Engine, Unified Communications Manager, and the BroadWorks platform.
The two most critical issues for routers, CVE-2022-20842 (CVSS score 9.8) and CVE-2022-20827 (CVSS score 9), were found in the web management interface and the web filter database update function, and both are related by incorrect input validation. Both vulnerabilities can be exploited remotely and do not require authentication or user interaction.
The developers explain that the successful exploitation of CVE-2022-20842, using a specially prepared HTTP input, allows attackers to “execute arbitrary code as root on the underlying operating system or force a device reboot, which will lead to a DoS condition.
In turn, the exploitation of CVE-2022-20827 is carried out by passing a specially prepared input to the web filter database update function, which allows attackers to “execute commands in the underlying operating system with root privileges.”
These bugs affect Small Business series VPN routers: RV160, RV260, RV340 and RV345 (CVE-2022-20842 affects only the last two).
The third router-related vulnerability, CVE-2022-20841 (CVSS score of 8), is related to command injection in the Open Plug-n-Play (PnP) module. The problem can be abused by sending malicious input to achieve code execution on the target Linux host. The error is dangerous for RV160, RV260, RV340 and RV345 devices.
It is emphasized that so far, experts are not aware of the existence of publicly available exploits for the listed problems, and so far they are not used in real attacks.