Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2119.2 Cisco Small Business RV Series Routers Vulnerabilities 4 August 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Small Business RV Series Routers Publisher: Cisco Systems Operating System: Cisco Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-3296 CVE-2020-3295 CVE-2020-3294 CVE-2020-3293 CVE-2020-3292 CVE-2020-3291 CVE-2020-3290 CVE-2020-3289 CVE-2020-3288 CVE-2020-3287 CVE-2020-3286 CVE-2020-3269 CVE-2020-3268 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-routers-Rj5JRfF8 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-routers-stack-vUxHmnNz https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-routers-injection-tWC7krKQ Comment: This bulletin contains three (3) Cisco Systems security advisories. Revision History: August 4 2020: Update to v1.1 for cisco-sa-rv-routers-Rj5JRfF8 June 18 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Small Business RV Series Routers Command Injection Vulnerabilities Priority: High Advisory ID: cisco-sa-rv-routers-Rj5JRfF8 First Published: 2020 June 17 16:00 GMT Last Updated: 2020 August 3 16:18 GMT Version 1.1: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvt26490 CSCvt26504 CSCvt26669 CSCvt26676CSCvt26683 CSCvt26714 CSCvt29372 CSCvt29376CSCvt29405 CSCvt29407 CSCvt29409 CSCvt29415 CWE-77 CVSS Score: 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV320 and RV325 Series Routers and Cisco Small Business RV016, RV042, and RV082 Routers could allow an authenticated, remote attacker with administrative privileges to execute arbitrary commands on an affected device. The vulnerabilities exist because the web-based management interface does not properly validate user-supplied input to scripts. An attacker with administrative privileges that are sufficient to log in to the web-based management interface could exploit each vulnerability by sending malicious requests to an affected device. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-rv-routers-Rj5JRfF8 Affected Products o Vulnerable Products These vulnerabilities affect the following Cisco Small Business routers and firmware releases: RV016 Multi-WAN VPN: 4.2.3.10 and earlier RV042 Dual WAN VPN: 4.2.3.10 and earlier RV042G Dual Gigabit WAN VPN: 4.2.3.10 and earlier RV082 Dual WAN VPN: 4.2.3.10 and earlier RV320 Dual Gigabit WAN VPN: 1.5.1.05 and earlier RV325 Dual Gigabit WAN VPN: 1.5.1.05 and earlier The web-based management interface for these devices is available through a local LAN connection or through the remote management feature. By default, the remote management feature is disabled for the affected devices. To determine whether the remote management feature is enabled for a device, open the web-based management interface through a local LAN connection and then choose Basic Settings > Remote Management . If the Enable check box is checked, remote management is enabled for the device. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities. Workarounds o There are no workarounds that address these vulnerabilities. Fixed Software o Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco fixed these vulnerabilities in Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers Firmware Release 1.5.1.11. Cisco fixed these vulnerabilities in Cisco RV016, RV042, and RV082 Routers Firmware Release 4.2.3.14. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory. The Cisco PSIRT is not aware of any malicious use of the vulnerabilities that are described in this advisory. Source o Cisco would like to thank Kai Cheng for reporting these vulnerabilities. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Action Links for This Advisory o Snort Rule 54320 Snort Rule 54321 Snort Rule 54322 Snort Rule 54323 Snort Rule 54324 Snort Rule 54325 Snort Rule 54326 Snort Rule 54327 Snort Rule 54328 Snort Rule 54329 Snort Rule 54330 Snort Rule 54331 Cisco Small Business RV Series Routers Command Injection Cisco Small Business RV Series Routers Command Injection Show All 14... URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-rv-routers-Rj5JRfF8 Revision History o +---------+-----------------------------+----------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------------+----------+--------+-------------+ - -------------------------------------------------------------------------------- Cisco Small Business RV Series Routers Stack Overflow Arbitrary Code Execution Vulnerabilities Priority: High Advisory ID: cisco-sa-rv-routers-stack-vUxHmnNz First Published: 2020 June 17 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvt26525 CSCvt26555 CSCvt26591 CSCvt26619CSCvt26643 CSCvt26659 CSCvt26663 CSCvt26705CSCvt26718 CSCvt26725 CSCvt26729 CSCvt29381 CSCvt29385 CSCvt29388 CSCvt29396 CSCvt29398CSCvt29400 CSCvt29403 CSCvt29414 CSCvt29416CSCvt29421 CSCvt29423 CVE-2020-3286 CVE-2020-3287 CVE-2020-3288 CVE-2020-3289 CVE-2020-3290 CVE-2020-3291 CVE-2020-3292 CVE-2020-3293 CVE-2020-3294 CVE-2020-3295 CVE-2020-3296 CWE-119 CVSS Score: 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV320 and RV325 Series Routers and Cisco Small Business RV016, RV042, and RV082 Routers could allow an authenticated, remote attacker with administrative privileges to execute arbitrary code on an affected device. The vulnerabilities are due to insufficient boundary restrictions on user-supplied input to scripts in the web-based management interface. An attacker with administrative privileges that are sufficient to log in to the web-based management interface could exploit each vulnerability by sending crafted requests that contain overly large values to an affected device, causing a stack overflow. A successful exploit could allow the attacker to cause the device to crash or allow the attacker to execute arbitrary code with root privileges on the underlying operating system. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-rv-routers-stack-vUxHmnNz Affected Products o Vulnerable Products These vulnerabilities affect the following Cisco Small Business routers and firmware releases: RV016 Multi-WAN VPN: 4.2.3.10 and earlier RV042 Dual WAN VPN: 4.2.3.10 and earlier RV042G Dual Gigabit WAN VPN: 4.2.3.10 and earlier RV082 Dual WAN VPN: 4.2.3.10 and earlier RV320 Dual Gigabit WAN VPN: 1.5.1.05 and earlier RV325 Dual Gigabit WAN VPN: 1.5.1.05 and earlier The web-based management interface for these devices is available through a local LAN connection or through the remote management feature. By default, the remote management feature is disabled for the affected devices. To determine whether the remote management feature is enabled for a device, open the web-based management interface through a local LAN connection and then choose Basic Settings > Remote Management . If the Enable check box is checked, remote management is enabled for the device. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities. Workarounds o There are no workarounds that address these vulnerabilities. Fixed Software o Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco fixed these vulnerabilities in Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers Firmware Release 1.5.1.11. Cisco fixed these vulnerabilities in Cisco RV016, RV042, and RV082 Routers Firmware Release 4.2.3.14. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory. The Cisco PSIRT is not aware of any malicious use of the vulnerabilities that are described in this advisory. Source o Cisco would like to thank Kai Cheng for reporting these vulnerabilities. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-rv-routers-stack-vUxHmnNz Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2020-JUN-17 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco Small Business RV110W, RV130, RV130W, and RV215W Series Routers Management Interface Vulnerabilities Priority: High Advisory ID: cisco-sa-rv-routers-injection-tWC7krKQ First Published: 2020 June 17 16:00 GMT Version 1.0: Final Workarounds: No workarounds available CVE-2020-3268 CVE-2020-3269 CWE-119 CWE-20 CVSS Score: 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o Multiple vulnerabilities in the web-based management interface of Cisco RV110W, RV130, RV130W, and RV215W Series Routers could allow an authenticated, remote attacker with administrative privileges to execute arbitrary commands. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-rv-routers-injection-tWC7krKQ Affected Products o Vulnerable Products The following table lists Cisco products that are affected by one or more of the vulnerabilities that are described in this advisory: Product Cisco Bug IDs Vulnerable Fixed Releases Releases Cisco Small Business RV110W CSCvt28218, 1.2.2.5 and 1.2.2.8 Wireless-N VPN Firewall CSCvt28233 earlier and later Cisco Small Business RV130 VPN Router CSCvt28203, 1.0.3.54 and 1.0.3.55 CSCvt28229 earlier and later Cisco Small Business RV130W CSCvt28203, 1.0.3.54 and 1.0.3.55 Wireless-N Multifunction VPN Router CSCvt28229 earlier and later Cisco Small Business RV215W CSCvt28223, 1.3.1.5 and 1.3.1.7 Wireless-N VPN Router CSCvt28237 earlier and later The web-based management interface for these devices is available through a local LAN connection or through the remote management feature. By default, the remote management feature is disabled for the affected devices. To determine whether the remote management feature is enabled for a device, open the web-based management interface though a local LAN connection and then choose Basic Settings > Remote Management . If the Enable check box is checked, remote management is enabled for the device. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities. Details o Two vulnerabilities in the web-based management interface of Cisco RV110W, RV130, RV130W, and RV215W Series Routers could allow an authenticated, remote attacker with administrative privileges to execute arbitrary commands. The vulnerabilities are not dependent on one another; exploitation of one of the vulnerabilities is not required to exploit the other vulnerability. Details about the vulnerabilities are as follows: Cisco Small Business Routers Command Injection Vulnerability The vulnerability exists because the web-based management interface does not properly validate user-supplied input to scripts. An attacker with administrative privileges sufficient to log in to the web-based management interface could exploit this vulnerability by sending malicious requests to an affected device. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system. Bug ID(s): CSCvt28203, CSCvt28218, CSCvt28223 CVE ID: CVE-2020-3268 Security Impact Rating (SIR): High CVSS Base Score: 7.2 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Cisco Small Business Routers Stack Overflow Vulnerability The vulnerability is due to improper boundary restrictions of user-supplied input to the web-based management interface. An attacker with administrative privileges sufficient to log in to the web-based management interface could exploit this vulnerability by sending malicious requests to an affected device. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system. Bug ID(s): CSCvt28229, CSCvt28233, CSCvt28237 CVE ID: CVE-2020-3269 Security Impact Rating (SIR): High CVSS Base Score: 7.2 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Workarounds o There are no workarounds that address these vulnerabilities. Fixed Software o Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco fixed these vulnerabilities in Cisco RV110W, RV130, RV130W, and RV215W Series Routers firmware releases 1.0.3.6 and later, 1.2.2.8 and later, and 1.3.1.7 and later. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory. The Cisco PSIRT is not aware of any malicious use of the vulnerabilities that are described in this advisory. Source o Cisco would like to thank Kai Cheng for reporting these vulnerabilities. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-rv-routers-injection-tWC7krKQ Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2020-JUN-17 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXyibo+NLKJtyKPYoAQhL/w//dBs/CzTB7ejKTU6EwwydiK1RtgFnLboG QvYMwcPjZCY5ljmlvXzqrTw3ubKTaiSUUCFM3pTTATs8mMYZ2DQmT4Qmgzn2FpO0 7dZjkTkBjXDtdqkHFyDHY0p0Pyx/Nflax3TlXws1SK96T9Jo8Z4PnLl+RbV5sKBZ SRNxfhqXHMnGnsswAOtxO/0Opg3BDjA60ZZS1PMNAcR44OQfeIgrUtA5WsBq//UT 2zKrVmaYlAyG77LhRv+DezEimgrm3Xu0freJBYXPDV8p5yruzcxmJ1dLfpimDR5k j+sDZHF4/KH3uQCKAiohif+Z/ueq2/n6IAD2PeHqO+dCZbbaAnhttCOFoWtgHkFW anL1sK//UYUoWYJBGRY1yW6DPcVeNssxd2gGbTZnkYgXUY+c4Qoylua1Kljrd1ow t35tz4D3CeTeFb/WUwmNvAwZ+3mrirzjZ5WGnTwQpAlN7jdxnIkNaluJ5wDa+yIa xqQEiqOXyK/nXjaadl3zYvUYTNv0z0Ljvk4k9cveXAVcNwGKA0qe+85jqzgJd7Ad TSYNwBA1uem4y2/8PrCPJkciQqqCmlM1NLZpM3JgERl4CdtvEoofRROdATunqzOt KJ4LkqMZGNj5RCShPIe4rckrUh83+YASX+KfyJhdX42iwHRkl/eyK/m1ef8ISUOv s3d8V2LYLGg= =oR6x -----END PGP SIGNATURE-----