Cisco has fixed critical security flaws in its Small Business line VPN routers. By exploiting these vulnerabilities, an unauthenticated attacker can execute remote commands on the router and trigger a denial of service (DoS).
First of all, you should know that these two security flaws are identified with the references CVE-2022-20842 and CVE-2022-20827. These vulnerabilities were discovered by security researchers from IoT Inspector, Chaitin and the CLP team. They are located in the web management interfaces of the routers, at the level of the function which is used to update the web filtering database, due to insufficient validation of the input data.
According to Cisco, the exploitation of these two security vulnerabilities requires a specially crafted HTTP request that is sent to the router. This HTTP request is executed remotely and does not require authentication, however it will allow attackers”execute arbitrary code as root on the operating system or cause a device reboot, resulting in a denial of serviceIn both cases, it is about executing commands with “root” privileges on the Linux-based system and the only exploitation condition is to be able to reach the management interface of the vulnerable router.
So, which Cisco devices are affected by these two security flaws? This list of affected routers includes Cisco VPN routers in the series RV160, RV260, RV340 and RV345 from the Small Business range, knowing that CVE-2022-20842 only affects the last two models. The detailed list is available on the Cisco site, with details on the firmware versions.
The good news is that Cisco has released software updates to fix both vulnerabilities so if you’re using these routers, you know what you need to do! Another good news, Cisco claims not to be aware of any active exploitation of these vulnerabilities or of the existence of publicly available exploits.