Threat Watch

Cisco Fixes Critical Remote Code Execution Bug in VPN Routers

Cisco has patched two critical security vulnerabilities affecting their Small Business VPN routers. These vulnerabilities, tracked as CVE-2022-20842 and CVE-2022-20827, could allow an attacker to execute arbitrary code as the root user on the system or cause the device to reload, causing a Denial-of-Service condition.

Both vulnerabilities are caused by insufficient input validation in various components of the routers. The CVE-2022-20842 vulnerability exists in the web-based management interface of the router, while the CVE-2022-20827 vulnerability exists in the web filter database update feature. With specifically crafted input, both vulnerabilities can be exploited to execute code and commands on the device as the root user, making it so any code maliciously executed will do so under the highest privileges available on the device. CVE-2022-20842 can also be used to forcibly reload the router, causing a Denial-of-Service on the device. Both exploits are also achievable remotely without requiring authentication, making them significantly easier to perform.

There has been no reported in-the-wild exploitation for either of these vulnerabilities; however, threat actors commonly develop exploits shortly after patches are released, so it is likely that attacks will start occurring.

ANALYST NOTES

It is recommended to patch vulnerable devices as soon as possible to help prevent any potential exploitation from occurring. The vulnerable device families include: RV160, RV260, RV340, and RV345. Updating these devices to their latest software versions will remove these vulnerabilities. It is also recommended to maintain a regular patching cycle so critical vulnerabilities can be remediated quickly and effectively. This may include implementing auto-updates, where possible, or maintaining a regular testing and patching process executed on a regular cadence. By installing patches as soon as they are released, an organization can help prevent threat actors from establishing a foothold within their network or otherwise using the vulnerable system in a malicious manner. Finally, it is important to only expose devices and services that absolutely need to be directly accessible from the Internet. Unpatched or unmaintained systems exposed on the Internet are a common vector for threat actors to gain access to an organization’s network, so it is crucial to reduce this attack surface as much as possible. Regularly assessing an organization’s perimeter and Internet exposure is recommended to determine if there are any security issues that could allow a threat actor to access internal systems.

https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-remote-code-execution-bug-in-vpn-routers/

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-mult-vuln-CbVp4SUR