-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2119
          Cisco Small Business RV Series Routers Vulnerabilities
                               18 June 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Small Business RV Series Routers
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-3296 CVE-2020-3295 CVE-2020-3294
                   CVE-2020-3293 CVE-2020-3292 CVE-2020-3291
                   CVE-2020-3290 CVE-2020-3289 CVE-2020-3288
                   CVE-2020-3287 CVE-2020-3286 CVE-2020-3269
                   CVE-2020-3268  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-routers-Rj5JRfF8
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-routers-stack-vUxHmnNz
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-routers-injection-tWC7krKQ

Comment: This bulletin contains three (3) Cisco Systems security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Small Business RV Series Routers Command Injection Vulnerabilities

Priority:        High

Advisory ID:     cisco-sa-rv-routers-Rj5JRfF8

First Published: 2020 June 17 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvt26490 CSCvt26504 CSCvt26669 CSCvt26676CSCvt26683 CSCvt26714 
CSCvt29372 CSCvt29376CSCvt29405 CSCvt29407 CSCvt29409 CSCvt29415

CWE-77

CVSS Score:
7.2  AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

  o Multiple vulnerabilities in the web-based management interface of Cisco
    Small Business RV320 and RV325 Series Routers and Cisco Small Business
    RV016, RV042, and RV082 Routers could allow an authenticated, remote
    attacker with administrative privileges to execute arbitrary commands on an
    affected device.

    The vulnerabilities exist because the web-based management interface does
    not properly validate user-supplied input to scripts. An attacker with
    administrative privileges that are sufficient to log in to the web-based
    management interface could exploit each vulnerability by sending malicious
    requests to an affected device. A successful exploit could allow the
    attacker to execute arbitrary commands with root privileges on the
    underlying operating system.

    Cisco has released software updates that address these vulnerabilities.
    There are no workarounds that address these vulnerabilities.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-rv-routers-Rj5JRfF8

Affected Products

  o Vulnerable Products

    These vulnerabilities affect the following Cisco Small Business routers and
    firmware releases:

       RV016 Multi-WAN VPN: 4.2.3.10 and earlier
       RV042 Dual WAN VPN: 4.2.3.10 and earlier
       RV042G Dual Gigabit WAN VPN: 4.2.3.10 and earlier
       RV082 Dual WAN VPN: 4.2.3.10 and earlier
       RV320 Dual Gigabit WAN VPN: 1.5.1.05 and earlier
       RV325 Dual Gigabit WAN VPN: 1.5.1.05 and earlier

    The web-based management interface for these devices is available through a
    local LAN connection or through the remote management feature. By default,
    the remote management feature is disabled for the affected devices.

    To determine whether the remote management feature is enabled for a device,
    open the web-based management interface through a local LAN connection and
    then choose Basic Settings > Remote Management . If the Enable check box is
    checked, remote management is enabled for the device.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by these vulnerabilities.

Workarounds

  o There are no workarounds that address these vulnerabilities.

Fixed Software

  o Cisco has released free software updates that address the vulnerabilities
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license: https://www.cisco.com/c/en/us/products/
    end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Cisco fixed these vulnerabilities in Cisco RV320 and RV325 Dual Gigabit WAN
    VPN Routers Firmware Release 1.5.1.11.

    Cisco fixed these vulnerabilities in Cisco RV016, RV042, and RV082 Routers
    Firmware Release 4.2.3.14.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is aware that
    proof-of-concept exploit code is available for the vulnerabilities that are
    described in this advisory.

    The Cisco PSIRT is not aware of any malicious use of the vulnerabilities
    that are described in this advisory.

Source

  o Cisco would like to thank Kai Cheng for reporting these vulnerabilities.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-rv-routers-Rj5JRfF8

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2020-JUN-17  |
    +----------+---------------------------+----------+--------+--------------+


- --------------------------------------------------------------------------------


Cisco Small Business RV Series Routers Stack Overflow Arbitrary Code Execution
Vulnerabilities

Priority:        High

Advisory ID:     cisco-sa-rv-routers-stack-vUxHmnNz

First Published: 2020 June 17 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvt26525 CSCvt26555 CSCvt26591 CSCvt26619CSCvt26643 
CSCvt26659 CSCvt26663 CSCvt26705CSCvt26718 CSCvt26725 CSCvt26729 CSCvt29381
CSCvt29385 CSCvt29388 CSCvt29396 CSCvt29398CSCvt29400 CSCvt29403 CSCvt29414 
CSCvt29416CSCvt29421 CSCvt29423

CVE-2020-3286 CVE-2020-3287 CVE-2020-3288 CVE-2020-3289
CVE-2020-3290 CVE-2020-3291 CVE-2020-3292 CVE-2020-3293
CVE-2020-3294 CVE-2020-3295 CVE-2020-3296

CWE-119

CVSS Score:
7.2  AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

  o Multiple vulnerabilities in the web-based management interface of Cisco
    Small Business RV320 and RV325 Series Routers and Cisco Small Business
    RV016, RV042, and RV082 Routers could allow an authenticated, remote
    attacker with administrative privileges to execute arbitrary code on an
    affected device.

    The vulnerabilities are due to insufficient boundary restrictions on
    user-supplied input to scripts in the web-based management interface. An
    attacker with administrative privileges that are sufficient to log in to
    the web-based management interface could exploit each vulnerability by
    sending crafted requests that contain overly large values to an affected
    device, causing a stack overflow. A successful exploit could allow the
    attacker to cause the device to crash or allow the attacker to execute
    arbitrary code with root privileges on the underlying operating system.

    Cisco has released software updates that address these vulnerabilities.
    There are no workarounds that address these vulnerabilities.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-rv-routers-stack-vUxHmnNz

Affected Products

  o Vulnerable Products

    These vulnerabilities affect the following Cisco Small Business routers and
    firmware releases:

       RV016 Multi-WAN VPN: 4.2.3.10 and earlier
       RV042 Dual WAN VPN: 4.2.3.10 and earlier
       RV042G Dual Gigabit WAN VPN: 4.2.3.10 and earlier
       RV082 Dual WAN VPN: 4.2.3.10 and earlier
       RV320 Dual Gigabit WAN VPN: 1.5.1.05 and earlier
       RV325 Dual Gigabit WAN VPN: 1.5.1.05 and earlier

    The web-based management interface for these devices is available through a
    local LAN connection or through the remote management feature. By default,
    the remote management feature is disabled for the affected devices.

    To determine whether the remote management feature is enabled for a device,
    open the web-based management interface through a local LAN connection and
    then choose Basic Settings > Remote Management . If the Enable check box is
    checked, remote management is enabled for the device.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by these vulnerabilities.

Workarounds

  o There are no workarounds that address these vulnerabilities.

Fixed Software

  o Cisco has released free software updates that address the vulnerabilities
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license: https://www.cisco.com/c/en/us/products/
    end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Cisco fixed these vulnerabilities in Cisco RV320 and RV325 Dual Gigabit WAN
    VPN Routers Firmware Release 1.5.1.11.

    Cisco fixed these vulnerabilities in Cisco RV016, RV042, and RV082 Routers
    Firmware Release 4.2.3.14.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is aware that
    proof-of-concept exploit code is available for the vulnerabilities that are
    described in this advisory.

    The Cisco PSIRT is not aware of any malicious use of the vulnerabilities
    that are described in this advisory.

Source

  o Cisco would like to thank Kai Cheng for reporting these vulnerabilities.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-rv-routers-stack-vUxHmnNz

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2020-JUN-17  |
    +----------+---------------------------+----------+--------+--------------+


- --------------------------------------------------------------------------------


Cisco Small Business RV110W, RV130, RV130W, and RV215W Series Routers
Management Interface Vulnerabilities

Priority:        High

Advisory ID:     cisco-sa-rv-routers-injection-tWC7krKQ

First Published: 2020 June 17 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds available

CVE-2020-3268    
CVE-2020-3269    

CWE-119
CWE-20

CVSS Score:
7.2  AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

  o Multiple vulnerabilities in the web-based management interface of Cisco
    RV110W, RV130, RV130W, and RV215W Series Routers could allow an
    authenticated, remote attacker with administrative privileges to execute
    arbitrary commands.

    For more information about these vulnerabilities, see the Details section
    of this advisory.

    Cisco has released software updates that address these vulnerabilities.
    There are no workarounds that address these vulnerabilities.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-rv-routers-injection-tWC7krKQ

Affected Products

  o Vulnerable Products

    The following table lists Cisco products that are affected by one or more
    of the vulnerabilities that are described in this advisory:

    Product                               Cisco Bug IDs Vulnerable   Fixed
                                                        Releases     Releases
    Cisco Small Business RV110W           CSCvt28218,   1.2.2.5 and  1.2.2.8
    Wireless-N VPN Firewall               CSCvt28233    earlier      and later
    Cisco Small Business RV130 VPN Router CSCvt28203,   1.0.3.54 and 1.0.3.55
                                          CSCvt28229    earlier      and later
    Cisco Small Business RV130W           CSCvt28203,   1.0.3.54 and 1.0.3.55
    Wireless-N Multifunction VPN Router   CSCvt28229    earlier      and later
    Cisco Small Business RV215W           CSCvt28223,   1.3.1.5 and  1.3.1.7
    Wireless-N VPN Router                 CSCvt28237    earlier      and later

    The web-based management interface for these devices is available through a
    local LAN connection or through the remote management feature. By default,
    the remote management feature is disabled for the affected devices.

    To determine whether the remote management feature is enabled for a device,
    open the web-based management interface though a local LAN connection and
    then choose Basic Settings > Remote Management . If the Enable check box is
    checked, remote management is enabled for the device.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by these vulnerabilities.

Details

  o Two vulnerabilities in the web-based management interface of Cisco RV110W,
    RV130, RV130W, and RV215W Series Routers could allow an authenticated,
    remote attacker with administrative privileges to execute arbitrary
    commands.

    The vulnerabilities are not dependent on one another; exploitation of one
    of the vulnerabilities is not required to exploit the other vulnerability.

    Details about the vulnerabilities are as follows:

    Cisco Small Business Routers Command Injection Vulnerability

    The vulnerability exists because the web-based management interface does
    not properly validate user-supplied input to scripts. An attacker with
    administrative privileges sufficient to log in to the web-based management
    interface could exploit this vulnerability by sending malicious requests to
    an affected device. A successful exploit could allow the attacker to
    execute arbitrary commands with root privileges on the underlying operating
    system.

    Bug ID(s): CSCvt28203, CSCvt28218, CSCvt28223
    CVE ID: CVE-2020-3268
    Security Impact Rating (SIR): High
    CVSS Base Score: 7.2
    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

    Cisco Small Business Routers Stack Overflow Vulnerability

    The vulnerability is due to improper boundary restrictions of user-supplied
    input to the web-based management interface. An attacker with
    administrative privileges sufficient to log in to the web-based management
    interface could exploit this vulnerability by sending malicious requests to
    an affected device. A successful exploit could allow the attacker to
    execute arbitrary commands with root privileges on the underlying operating
    system.

    Bug ID(s): CSCvt28229, CSCvt28233, CSCvt28237
    CVE ID: CVE-2020-3269
    Security Impact Rating (SIR): High
    CVSS Base Score: 7.2
    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Workarounds

  o There are no workarounds that address these vulnerabilities.

Fixed Software

  o Cisco has released free software updates that address the vulnerabilities
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license: https://www.cisco.com/c/en/us/products/
    end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Cisco fixed these vulnerabilities in Cisco RV110W, RV130, RV130W, and
    RV215W Series Routers firmware releases 1.0.3.6 and later, 1.2.2.8 and
    later, and 1.3.1.7 and later.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is aware that
    proof-of-concept exploit code is available for the vulnerabilities that are
    described in this advisory.

    The Cisco PSIRT is not aware of any malicious use of the vulnerabilities
    that are described in this advisory.

Source

  o Cisco would like to thank Kai Cheng for reporting these vulnerabilities.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-rv-routers-injection-tWC7krKQ

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2020-JUN-17  |
    +----------+---------------------------+----------+--------+--------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXur+MONLKJtyKPYoAQig5A/8DoDrRB2zovT4Uh7sO5ip4KszNLo0AjMV
AGhHf4n0DQIkxeu5DP7DPmYnhMQQjzR2c79c2lwaERIT+2P7jXGD1gGQDi1flsrL
FC/H+5pTc2myCLQPBm8Lda5m6GVjcrm4eOGtI6wsVGd3CK0OrzIXBJ7f+fE8nCTD
3xQHis0K1tE3hBTYGFf1pMW/SYpFX7W0/hkFOm33f0L+dVCtSUscoKE6d5v4tOKs
YshuNXDyxg/Eyel0HU5vODBeEqfUBz0wgpw2BtMQBo/Hg0MRnJK2uHnBEt+Z7LEW
uvLUr+EWhZNsC5E0pM3ZsYnVJayLFteZYM5MF/LLujzrw5G3LMcH9R616gYFfyLP
6+qekkhCWqCrt70Imo8u/OxPNUOAIOkwpqf31Rsuj+W5KFqiF6fBycXOcLrotQXs
6lLJiNabvV2MsvbyInjYJHkihk8b5ysSWJ2dAklZ1M95eAATvZQZ5em/JvvutlQE
hXGv+AlhXX3OhJQaFqftN+WHG1Ws19ecg8AeTdMC+rPtAzzBGtT6BU9PhH9QPAL4
dXWBTTBQLiKJx/k5Rv4dS7ITvu+jN4AWzht+NPzG17acFyzk7olzdAeeqv0oXwxO
hW8LXnpmHDkUfRkkc20swEdT9HUlq9ZCIJ/SA20/FxWuM+5ssfgQJBO6pL1WHmIy
MCDfPTi7jsY=
=CM94
-----END PGP SIGNATURE-----