Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers are vulnerable to three vulnerabilities, according to the company.
An unauthenticated remote attacker may execute arbitrary code or cause a denial of service (DoS) condition on a vulnerable device.
CISA issued its own warning about the vulnerabilities on Thursday, saying they may allow someone to seize control of a vulnerable system.
Two of the bugs — labeled CVE-2022-20827 and CVE-2022-20841 — affect nine router models, while CVE-2022-20842 affects four.
‘In addition, a software release that is affected by one vulnerability may not be affected by the other vulnerabilities,’ Cisco said.
CVE-2022-20842 and CVE-2022-20827 are rated “critical” and carry vulnerability scores (CVSS) of 9.8 and 9, respectively.
CVE-2022-20841 is rated “high” and has a CVSS of 8.3.
Cisco says these vulnerabilities are dependent on one another because exploiting one may be necessary to exploit the others.
“Affected software releases may not be affected by the other vulnerabilities,” Cisco adds.
Cisco’s security team says they are not aware of any malicious use of the vulnerabilities, and there are no workarounds to address them.
Chris Clements, VP of solutions architecture at Cerberus Sentinel, believes the most severe issues that can be exploited by an unauthenticated remote attacker are those that target Cisco devices’ web management interface.
According to Clements, Shodan, a search engine for internet-connected devices, found over 12,000 web management interfaces exposed to the internet, with most based in the U.S.
“An attacker exploiting a gateway device can pose a substantial risk to an organisation, particularly if internal or external IT providers have enabled remote management of the devices without appreciating the security risks, which may have caused the devices to have internet access to the management interface,”
“It is clear from this data that devices have either been erroneously configured to provide internet access to the management interface or, more likely, deliberately by an external or internal IT supplier to enable remote management of the devices,” says Clements
Cisco’s patches in 2022 also addressed issues in the web-based management interface allowing an attacker to escalate privileges to root and execute arbitrary commands on the devices
Roger Grimes, VP of KnowBe4, says that although Cisco vulnerabilities are significant, most Cisco devices have unpatched vulnerabilities.
“In my 20-year career of penetration testing, I never found a fully patched Cisco router. This is just one more Cisco router exploit that attackers can use. However, attackers who target Cisco routers will likely score a bull’s eye.” says Grimes.
