Reading:
Cisco Fixed RCE and Command Injection Flaws in VPN Router Series

Cisco Fixed RCE and Command Injection Flaws in VPN Router Series

August 4, 2022

Cisco released fixes for several vulnerabilities in its VPN routers. Affected products could be subject to remote code execution, command injection, and DoS attacks by unauthenticated, remote attackers. The vulnerabilities are labeled CVE-2022-20827, CVE-2022-20841, and CVE-2022-20842; and are caused by insufficient input validation. Currently, there is no evidence of exploitation in the wild. 

How Do Vulnerabilities Affect?

CVE-2022-20842 exists in the web-based management interface of VPN routers. By sending a crafted HTTP input to a vulnerable device, an attacker can exploit it and perform RCE as a root user in the OS or cause denial-of-service

CVE-2022-20827 can be exploited by sending crafted input to the web filter database update feature. This vulnerability could enable an attacker to execute arbitrary commands with root privilege, like in CVE-2022-20842.

CVE-2022-20841 is a vulnerability in the Cisco router’s PnP (Open Plug and Play) module. It can be exploited by a malicious input sent to the vulnerable device. To exploit it, the attacker must be in a MiTM (man-in-the-middle) position or already have control over a particular network device linked to the vulnerable router. According to Cisco, this vulnerability “could allow an unauthenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system.” 

Is There a Way to Mitigate? 

There are no available workarounds for these vulnerabilities; updating your software is recommended. 

Affected products and versions are listed below: 

Vulnerable to CVE-2022-20827 and CVE-2022-20841: 

  • RV160 and RV260 Series Routers (earlier than 1.0.01.05) 
  • RV160 and RV260 Series Routers (1.0.01.05) 
  • RV340 and RV345 Series Routers (earlier than 1.0.03.26) 
  • RV340 and RV345 Series Routers (1.0.03.26) 

Vulnerable to CVE-2022-20842: 

  • RV340 and RV345 Series Routers (1.0.03.26 and earlier) 

Check Cisco’s security advisory for free security updates and additional information on the subject.