Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2119.2
Cisco Small Business RV Series Routers Vulnerabilities
4 August 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Small Business RV Series Routers
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-3296 CVE-2020-3295 CVE-2020-3294
CVE-2020-3293 CVE-2020-3292 CVE-2020-3291
CVE-2020-3290 CVE-2020-3289 CVE-2020-3288
CVE-2020-3287 CVE-2020-3286 CVE-2020-3269
CVE-2020-3268
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-routers-Rj5JRfF8
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-routers-stack-vUxHmnNz
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-routers-injection-tWC7krKQ
Comment: This bulletin contains three (3) Cisco Systems security advisories.
Revision History: August 4 2020: Update to v1.1 for cisco-sa-rv-routers-Rj5JRfF8
June 18 2020: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Small Business RV Series Routers Command Injection Vulnerabilities
Priority: High
Advisory ID: cisco-sa-rv-routers-Rj5JRfF8
First Published: 2020 June 17 16:00 GMT
Last Updated: 2020 August 3 16:18 GMT
Version 1.1: Final
Workarounds: No workarounds availableCisco Bug IDs: CSCvt26490 CSCvt26504 CSCvt26669 CSCvt26676CSCvt26683 CSCvt26714 CSCvt29372 CSCvt29376CSCvt29405 CSCvt29407 CSCvt29409 CSCvt29415
CWE-77
CVSS Score:
7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o Multiple vulnerabilities in the web-based management interface of Cisco
Small Business RV320 and RV325 Series Routers and Cisco Small Business
RV016, RV042, and RV082 Routers could allow an authenticated, remote
attacker with administrative privileges to execute arbitrary commands on an
affected device.
The vulnerabilities exist because the web-based management interface does
not properly validate user-supplied input to scripts. An attacker with
administrative privileges that are sufficient to log in to the web-based
management interface could exploit each vulnerability by sending malicious
requests to an affected device. A successful exploit could allow the
attacker to execute arbitrary commands with root privileges on the
underlying operating system.
Cisco has released software updates that address these vulnerabilities.
There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-rv-routers-Rj5JRfF8
Affected Products
o Vulnerable Products
These vulnerabilities affect the following Cisco Small Business routers and
firmware releases:
RV016 Multi-WAN VPN: 4.2.3.10 and earlier
RV042 Dual WAN VPN: 4.2.3.10 and earlier
RV042G Dual Gigabit WAN VPN: 4.2.3.10 and earlier
RV082 Dual WAN VPN: 4.2.3.10 and earlier
RV320 Dual Gigabit WAN VPN: 1.5.1.05 and earlier
RV325 Dual Gigabit WAN VPN: 1.5.1.05 and earlier
The web-based management interface for these devices is available through a
local LAN connection or through the remote management feature. By default,
the remote management feature is disabled for the affected devices.
To determine whether the remote management feature is enabled for a device,
open the web-based management interface through a local LAN connection and
then choose Basic Settings > Remote Management . If the Enable check box is
checked, remote management is enabled for the device.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by these vulnerabilities.
Workarounds
o There are no workarounds that address these vulnerabilities.
Fixed Software
o Cisco has released free software updates that address the vulnerabilities
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license: https://www.cisco.com/c/en/us/products/
end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
Cisco fixed these vulnerabilities in Cisco RV320 and RV325 Dual Gigabit WAN
VPN Routers Firmware Release 1.5.1.11.
Cisco fixed these vulnerabilities in Cisco RV016, RV042, and RV082 Routers
Firmware Release 4.2.3.14.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is aware that
proof-of-concept exploit code is available for the vulnerabilities that are
described in this advisory.
The Cisco PSIRT is not aware of any malicious use of the vulnerabilities
that are described in this advisory.
Source
o Cisco would like to thank Kai Cheng for reporting these vulnerabilities.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Action Links for This Advisory
o Snort Rule 54320
Snort Rule 54321
Snort Rule 54322
Snort Rule 54323
Snort Rule 54324
Snort Rule 54325
Snort Rule 54326
Snort Rule 54327
Snort Rule 54328
Snort Rule 54329
Snort Rule 54330
Snort Rule 54331
Cisco Small Business RV Series Routers Command Injection
Cisco Small Business RV Series Routers Command Injection
Show All 14...
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-rv-routers-Rj5JRfF8
Revision History
o +---------+-----------------------------+----------+--------+-------------+
| Version | Description | Section | Status | Date |
+---------+-----------------------------+----------+--------+-------------+
- --------------------------------------------------------------------------------
Cisco Small Business RV Series Routers Stack Overflow Arbitrary Code Execution
Vulnerabilities
Priority: High
Advisory ID: cisco-sa-rv-routers-stack-vUxHmnNz
First Published: 2020 June 17 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvt26525 CSCvt26555 CSCvt26591 CSCvt26619CSCvt26643
CSCvt26659 CSCvt26663 CSCvt26705CSCvt26718 CSCvt26725 CSCvt26729 CSCvt29381
CSCvt29385 CSCvt29388 CSCvt29396 CSCvt29398CSCvt29400 CSCvt29403 CSCvt29414
CSCvt29416CSCvt29421 CSCvt29423
CVE-2020-3286 CVE-2020-3287 CVE-2020-3288 CVE-2020-3289
CVE-2020-3290 CVE-2020-3291 CVE-2020-3292 CVE-2020-3293
CVE-2020-3294 CVE-2020-3295 CVE-2020-3296
CWE-119
CVSS Score:
7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o Multiple vulnerabilities in the web-based management interface of Cisco
Small Business RV320 and RV325 Series Routers and Cisco Small Business
RV016, RV042, and RV082 Routers could allow an authenticated, remote
attacker with administrative privileges to execute arbitrary code on an
affected device.
The vulnerabilities are due to insufficient boundary restrictions on
user-supplied input to scripts in the web-based management interface. An
attacker with administrative privileges that are sufficient to log in to
the web-based management interface could exploit each vulnerability by
sending crafted requests that contain overly large values to an affected
device, causing a stack overflow. A successful exploit could allow the
attacker to cause the device to crash or allow the attacker to execute
arbitrary code with root privileges on the underlying operating system.
Cisco has released software updates that address these vulnerabilities.
There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-rv-routers-stack-vUxHmnNz
Affected Products
o Vulnerable Products
These vulnerabilities affect the following Cisco Small Business routers and
firmware releases:
RV016 Multi-WAN VPN: 4.2.3.10 and earlier
RV042 Dual WAN VPN: 4.2.3.10 and earlier
RV042G Dual Gigabit WAN VPN: 4.2.3.10 and earlier
RV082 Dual WAN VPN: 4.2.3.10 and earlier
RV320 Dual Gigabit WAN VPN: 1.5.1.05 and earlier
RV325 Dual Gigabit WAN VPN: 1.5.1.05 and earlier
The web-based management interface for these devices is available through a
local LAN connection or through the remote management feature. By default,
the remote management feature is disabled for the affected devices.
To determine whether the remote management feature is enabled for a device,
open the web-based management interface through a local LAN connection and
then choose Basic Settings > Remote Management . If the Enable check box is
checked, remote management is enabled for the device.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by these vulnerabilities.
Workarounds
o There are no workarounds that address these vulnerabilities.
Fixed Software
o Cisco has released free software updates that address the vulnerabilities
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license: https://www.cisco.com/c/en/us/products/
end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
Cisco fixed these vulnerabilities in Cisco RV320 and RV325 Dual Gigabit WAN
VPN Routers Firmware Release 1.5.1.11.
Cisco fixed these vulnerabilities in Cisco RV016, RV042, and RV082 Routers
Firmware Release 4.2.3.14.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is aware that
proof-of-concept exploit code is available for the vulnerabilities that are
described in this advisory.
The Cisco PSIRT is not aware of any malicious use of the vulnerabilities
that are described in this advisory.
Source
o Cisco would like to thank Kai Cheng for reporting these vulnerabilities.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-rv-routers-stack-vUxHmnNz
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-JUN-17 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------------------------------------------------------------
Cisco Small Business RV110W, RV130, RV130W, and RV215W Series Routers
Management Interface Vulnerabilities
Priority: High
Advisory ID: cisco-sa-rv-routers-injection-tWC7krKQ
First Published: 2020 June 17 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
CVE-2020-3268
CVE-2020-3269
CWE-119
CWE-20
CVSS Score:
7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o Multiple vulnerabilities in the web-based management interface of Cisco
RV110W, RV130, RV130W, and RV215W Series Routers could allow an
authenticated, remote attacker with administrative privileges to execute
arbitrary commands.
For more information about these vulnerabilities, see the Details section
of this advisory.
Cisco has released software updates that address these vulnerabilities.
There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-rv-routers-injection-tWC7krKQ
Affected Products
o Vulnerable Products
The following table lists Cisco products that are affected by one or more
of the vulnerabilities that are described in this advisory:
Product Cisco Bug IDs Vulnerable Fixed
Releases Releases
Cisco Small Business RV110W CSCvt28218, 1.2.2.5 and 1.2.2.8
Wireless-N VPN Firewall CSCvt28233 earlier and later
Cisco Small Business RV130 VPN Router CSCvt28203, 1.0.3.54 and 1.0.3.55
CSCvt28229 earlier and later
Cisco Small Business RV130W CSCvt28203, 1.0.3.54 and 1.0.3.55
Wireless-N Multifunction VPN Router CSCvt28229 earlier and later
Cisco Small Business RV215W CSCvt28223, 1.3.1.5 and 1.3.1.7
Wireless-N VPN Router CSCvt28237 earlier and later
The web-based management interface for these devices is available through a
local LAN connection or through the remote management feature. By default,
the remote management feature is disabled for the affected devices.
To determine whether the remote management feature is enabled for a device,
open the web-based management interface though a local LAN connection and
then choose Basic Settings > Remote Management . If the Enable check box is
checked, remote management is enabled for the device.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by these vulnerabilities.
Details
o Two vulnerabilities in the web-based management interface of Cisco RV110W,
RV130, RV130W, and RV215W Series Routers could allow an authenticated,
remote attacker with administrative privileges to execute arbitrary
commands.
The vulnerabilities are not dependent on one another; exploitation of one
of the vulnerabilities is not required to exploit the other vulnerability.
Details about the vulnerabilities are as follows:
Cisco Small Business Routers Command Injection Vulnerability
The vulnerability exists because the web-based management interface does
not properly validate user-supplied input to scripts. An attacker with
administrative privileges sufficient to log in to the web-based management
interface could exploit this vulnerability by sending malicious requests to
an affected device. A successful exploit could allow the attacker to
execute arbitrary commands with root privileges on the underlying operating
system.
Bug ID(s): CSCvt28203, CSCvt28218, CSCvt28223
CVE ID: CVE-2020-3268
Security Impact Rating (SIR): High
CVSS Base Score: 7.2
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Cisco Small Business Routers Stack Overflow Vulnerability
The vulnerability is due to improper boundary restrictions of user-supplied
input to the web-based management interface. An attacker with
administrative privileges sufficient to log in to the web-based management
interface could exploit this vulnerability by sending malicious requests to
an affected device. A successful exploit could allow the attacker to
execute arbitrary commands with root privileges on the underlying operating
system.
Bug ID(s): CSCvt28229, CSCvt28233, CSCvt28237
CVE ID: CVE-2020-3269
Security Impact Rating (SIR): High
CVSS Base Score: 7.2
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Workarounds
o There are no workarounds that address these vulnerabilities.
Fixed Software
o Cisco has released free software updates that address the vulnerabilities
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license: https://www.cisco.com/c/en/us/products/
end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
Cisco fixed these vulnerabilities in Cisco RV110W, RV130, RV130W, and
RV215W Series Routers firmware releases 1.0.3.6 and later, 1.2.2.8 and
later, and 1.3.1.7 and later.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is aware that
proof-of-concept exploit code is available for the vulnerabilities that are
described in this advisory.
The Cisco PSIRT is not aware of any malicious use of the vulnerabilities
that are described in this advisory.
Source
o Cisco would like to thank Kai Cheng for reporting these vulnerabilities.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-rv-routers-injection-tWC7krKQ
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-JUN-17 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXyibo+NLKJtyKPYoAQhL/w//dBs/CzTB7ejKTU6EwwydiK1RtgFnLboG
QvYMwcPjZCY5ljmlvXzqrTw3ubKTaiSUUCFM3pTTATs8mMYZ2DQmT4Qmgzn2FpO0
7dZjkTkBjXDtdqkHFyDHY0p0Pyx/Nflax3TlXws1SK96T9Jo8Z4PnLl+RbV5sKBZ
SRNxfhqXHMnGnsswAOtxO/0Opg3BDjA60ZZS1PMNAcR44OQfeIgrUtA5WsBq//UT
2zKrVmaYlAyG77LhRv+DezEimgrm3Xu0freJBYXPDV8p5yruzcxmJ1dLfpimDR5k
j+sDZHF4/KH3uQCKAiohif+Z/ueq2/n6IAD2PeHqO+dCZbbaAnhttCOFoWtgHkFW
anL1sK//UYUoWYJBGRY1yW6DPcVeNssxd2gGbTZnkYgXUY+c4Qoylua1Kljrd1ow
t35tz4D3CeTeFb/WUwmNvAwZ+3mrirzjZ5WGnTwQpAlN7jdxnIkNaluJ5wDa+yIa
xqQEiqOXyK/nXjaadl3zYvUYTNv0z0Ljvk4k9cveXAVcNwGKA0qe+85jqzgJd7Ad
TSYNwBA1uem4y2/8PrCPJkciQqqCmlM1NLZpM3JgERl4CdtvEoofRROdATunqzOt
KJ4LkqMZGNj5RCShPIe4rckrUh83+YASX+KfyJhdX42iwHRkl/eyK/m1ef8ISUOv
s3d8V2LYLGg=
=oR6x
-----END PGP SIGNATURE-----