“Very Concerning”: Cisco router vulnerabilities pose far-reaching risks
Join today’s leading leaders online at Data Summit on March 9th. Register here.
The series of newly discovered vulnerabilities in Cisco routers, including five with a “critical” severity level, have increased cyber risk for companies of all sizes, cybersecurity executives told VentureBeat.
Among the vulnerabilities are three with the highest possible severity – including a remote code execution (RCE) vulnerability and a flaw that allows remote users to elevate their privileges.
While the 15 vulnerabilities affect routers used by small and medium-sized businesses (SMEs), in 2022 large and small businesses are intertwined from a security perspective. If an SME does not address such a major security issue – for example due to lack of resources – it can become a problem for the companies they do business with.
“When SMBs get hacked, it can impact larger organizations,” said Matthew Warner, co-founder and chief technology officer at Blumira, in an email.
For example, in the 2013 Target breach, attackers reportedly gained their first access by hacking an HVAC contractor who had been working at Target locations. Rather than go after Target directly, the attackers breached the supposedly less secure contractor — and used that to gain access to Target’s environment, Warner said.
“It’s a common attack mechanism for threat actors to target MSPs or other SMBs, which have broad exposure to a number of other larger organizations simply because of their access,” he said.
This week Cisco disclosed the 15 vulnerabilities discovered in its RV160, RV260, RV340 and RV345 series routers. Cisco said it has released patches for the vulnerabilities and there are no workarounds for the bugs.
Three of the bugs were rated at the highest possible severity – 10.0:
- CVE-2022-20699 is a vulnerability in the SSL VPN module of the Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers. The flaw could allow an unauthenticated attacker to remotely execute code on a vulnerable device and could be exploited to gain root privileges, Cisco said.
- CVE-2022-20700 is a vulnerability in the web interface used to manage Cisco Small Business RV Series routers. The flaw could allow an attacker to remotely elevate their privileges to root, Cisco said.
- CVE-2022-20708 is a vulnerability in the web interface used to manage the Cisco Small Business RV340, RV340W, RV345, and RV345P dual-WAN Gigabit VPN routers. The flaw could allow an unauthenticated attacker to remotely inject and execute commands on the underlying Linux operating system, Cisco said.
The other two “critical” vulnerabilities are CVE-2022-20703 – which can allow an unauthenticated local user to install malicious software and has a severity rating of 9.3 – and CVE-2022-20701 which has a rating of 9 ,0 and is related to the Remote Privilege Escalation vulnerability (CVE-2022-20700).
In its advisory, Cisco noted that some of the 15 vulnerabilities are “interdependent. Exploiting one of the vulnerabilities may be required to exploit another vulnerability.”
The vulnerabilities are “very concerning” due to their severity and the multiple attack vectors, said Tim Silverline, vice president of security at Gluware, in an email.
While SMBs using the routers are most directly affected by the vulnerabilities, SMBs often connect to enterprise partners through VPN tunnels, Silverline found. “It could be another entry point [the enterprise] network if those connections aren’t properly secured,” he said.
Therefore, creating strong security policies at the enterprise perimeter using positive enforcement or zero trust technologies “can help mitigate most of the risks that these types of connections would pose,” Silverline said.
The disclosure comes at a time when software vulnerabilities are receiving a lot of attention after the RCE bug in Apache Log4j, a widely used Java logging component, was revealed in December. Another major vulnerability that has recently come to light is “PwnKit”, which affects a widely used Linux program – Polkit’s pkexec – and can easily be exploited for local escalation of privileges.
VentureBeat’s mission is intended to be a digital marketplace for technical decision makers to acquire knowledge about transformative enterprise technology and to conduct transactions. learn more