{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-009.pdf"
    },
    "title": "Critical Vulnerability in Cisco VPN Routers",
    "serial_number": "2022-009",
    "publish_date": "07-02-2022 17:08:00",
    "description": "On January 4th, Cisco has issued advisories and software updates to address multiple vulnerabilities of which the three most serious are identified as: \"CVE-2022-20699\", \"CVE-2022-20700\", \"CVE-2022-20708\" with a severity score of 10 out of 10.<br>- \"CVE-2022-20699\" could lead to Remote Code Execution by unauthenticated attackers with \"root\" privileges.<br>- \"CVE-2022-20700\" could allow a remote attacker to elevate privileges to \"root\".<br>- \"CVE-2022-20708\" could allow an unauthenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system.<br>Concerning the \"CVE-2022-20699\" vulnerability, a public presentation has recently been done at the OffensiveCon2022 followed by a leak of the exploit on Twitter. It is unknown what PoC exploits are available for the other vulnerabilities. However, once security updates are released, these PoCs tend to become publicly fairly quickly.<br>It is recommended to update as soon as possible.",
    "url_title": "2022-009",
    "content_markdown": "---\ntitle: 'Critical Vulnerability in\u00a0Cisco\u00a0VPN\u00a0Routers'\nversion: '1.0'\nnumber: '2022-009'\ndate: 'February 7, 2022'\n---\n\n_History:_\n\n* _07/02/2022 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn January 4th, Cisco has issued advisories and software updates [1] to address multiple vulnerabilities of which the three most serious are identified as: `CVE-2022-20699`, `CVE-2022-20700`, `CVE-2022-20708` with a severity score of 10 out of 10.\n\n- `CVE-2022-20699` could lead to Remote Code Execution by unauthenticated attackers with `root` privileges.\n- `CVE-2022-20700` could allow a remote attacker to elevate privileges to `root`.\n- `CVE-2022-20708` could allow an unauthenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system.\n\nConcerning the `CVE-2022-20699` vulnerability, a public presentation has recently been done at the OffensiveCon2022 followed by a **leak of the exploit on Twitter** [2]. It is unknown what PoC exploits are available for the other vulnerabilities. However, once security updates are released, these PoCs tend to become publicly fairly quickly [3].\n\nIt is recommended to update as soon as possible.\n\n# Technical Details\n\nThe vulnerability `CVE-2022-20699` exists because HTTP requests are not properly validated in the management interface, according to Cisco. An attacker could exploit this vulnerability by sending malicious HTTP requests to the affected device that is acting as an SSL VPN Gateway.\n\nThe vulnerability `CVE-2022-20700` is due to flaws in the router's web-based management interface, which suffers from insufficient authorisation enforcement mechanisms.\n\nThe vulnerability `CVE-2022-20708` is due to insufficient validation of user-supplied input.\n\n# Affected Products\n\nThese vulnerabilities affect the following Cisco products:\n\n`CVE-2022-20700`:\n\n- RV160 VPN Routers\n- RV160W Wireless-AC VPN Routers\n- RV260 VPN Routers\n- RV260P VPN Routers with PoE\n- RV260W Wireless-AC VPN Routers\n\n`CVE-2022-20699` & `CVE-2022-20708`:\n\n- RV340 Dual WAN Gigabit VPN Routers\n- RV340W Dual WAN Gigabit Wireless-AC VPN Routers\n- RV345 Dual WAN Gigabit VPN Routers\n- RV345P Dual WAN Gigabit POE VPN Routers\n\n# Recommendations\n\nCisco has released free software updates that address the vulnerabilities described in this advisory for the RV340 and RV345 Series. Cisco is working on fixes for the identified vulnerabilities for the RV160 and RV260 Series Routers as quickly as possible.\n\nCisco and CERT-EU strongly recommend upgrading Cisco routers to the latest version as soon as possible.\n\n# References\n\n[1] <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D>\n\n[2] <https://twitter.com/RabbitPro/status/1489978906597859333>\n\n[3] <https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-bugs-in-smb-routers-exploits-available/>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>07/02/2022 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On January 4th, Cisco has issued advisories and software updates [1] to address multiple vulnerabilities of which the three most serious are identified as: <code>CVE-2022-20699</code>, <code>CVE-2022-20700</code>, <code>CVE-2022-20708</code> with a severity score of 10 out of 10.</p><ul><li><code>CVE-2022-20699</code> could lead to Remote Code Execution by unauthenticated attackers with <code>root</code> privileges.</li><li><code>CVE-2022-20700</code> could allow a remote attacker to elevate privileges to <code>root</code>.</li><li><code>CVE-2022-20708</code> could allow an unauthenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system.</li></ul><p>Concerning the <code>CVE-2022-20699</code> vulnerability, a public presentation has recently been done at the OffensiveCon2022 followed by a <strong>leak of the exploit on Twitter</strong> [2]. It is unknown what PoC exploits are available for the other vulnerabilities. However, once security updates are released, these PoCs tend to become publicly fairly quickly [3].</p><p>It is recommended to update as soon as possible.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <code>CVE-2022-20699</code> exists because HTTP requests are not properly validated in the management interface, according to Cisco. An attacker could exploit this vulnerability by sending malicious HTTP requests to the affected device that is acting as an SSL VPN Gateway.</p><p>The vulnerability <code>CVE-2022-20700</code> is due to flaws in the router's web-based management interface, which suffers from insufficient authorisation enforcement mechanisms.</p><p>The vulnerability <code>CVE-2022-20708</code> is due to insufficient validation of user-supplied input.</p><h2 id=\"affected-products\">Affected Products</h2><p>These vulnerabilities affect the following Cisco products:</p><p><code>CVE-2022-20700</code>:</p><ul><li>RV160 VPN Routers</li><li>RV160W Wireless-AC VPN Routers</li><li>RV260 VPN Routers</li><li>RV260P VPN Routers with PoE</li><li>RV260W Wireless-AC VPN Routers</li></ul><p><code>CVE-2022-20699</code> &amp; <code>CVE-2022-20708</code>:</p><ul><li>RV340 Dual WAN Gigabit VPN Routers</li><li>RV340W Dual WAN Gigabit Wireless-AC VPN Routers</li><li>RV345 Dual WAN Gigabit VPN Routers</li><li>RV345P Dual WAN Gigabit POE VPN Routers</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Cisco has released free software updates that address the vulnerabilities described in this advisory for the RV340 and RV345 Series. Cisco is working on fixes for the identified vulnerabilities for the RV160 and RV260 Series Routers as quickly as possible.</p><p>Cisco and CERT-EU strongly recommend upgrading Cisco routers to the latest version as soon as possible.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D\">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://twitter.com/RabbitPro/status/1489978906597859333\">https://twitter.com/RabbitPro/status/1489978906597859333</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-bugs-in-smb-routers-exploits-available/\">https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-bugs-in-smb-routers-exploits-available/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}