CVE-2022-20801

Cisco Small Business RV Series Routers Command Injection Vulnerabilities

Severity Score

7.2

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV340 and RV345 Routers could allow an authenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by sending malicious input to an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system of the affected device. To exploit these vulnerabilities, an attacker would need to have valid Administrator credentials on the affected device.

Múltiples vulnerabilidades en la interfaz de administración basada en la web de los routers Cisco Small Business RV340 y RV345 podrían permitir a un atacante remoto autenticado inyectar y ejecutar comandos arbitrarios en el sistema operativo subyacente de un dispositivo afectado. Estas vulnerabilidades son debido a que no se han comprobado suficientemente las entradas proporcionadas por el usuario. Un atacante podría explotar estas vulnerabilidades mediante el envío de entradas maliciosas a un dispositivo afectado. Una explotación con éxito podría permitir al atacante ejecutar comandos arbitrarios en el sistema operativo Linux subyacente del dispositivo afectado. Para explotar estas vulnerabilidades, un atacante necesitaría tener credenciales de administrador válidas en el dispositivo afectado

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Cisco RV340 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
The specific flaw exists within the handling of set-snmp JSON RPC requests. When parsing the usmUserAuthKey parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the www-data user.

*Credits: Anonymous

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2021-11-02 CVE Reserved
2022-05-04 CVE Published
2024-11-06 CVE Updated
2024-11-12 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-rv-cmd-inj-8Pv9JMJD	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"	Rv340 Firmware Search vendor "Cisco" for product "Rv340 Firmware"	< 1.0.03.27 Search vendor "Cisco" for product "Rv340 Firmware" and version " < 1.0.03.27"	-	Affected	in	Cisco Search vendor "Cisco"	Rv340 Search vendor "Cisco" for product "Rv340"	-	-	Safe
Cisco Search vendor "Cisco"	Rv340w Firmware Search vendor "Cisco" for product "Rv340w Firmware"	< 1.0.03.27 Search vendor "Cisco" for product "Rv340w Firmware" and version " < 1.0.03.27"	-	Affected	in	Cisco Search vendor "Cisco"	Rv340w Search vendor "Cisco" for product "Rv340w"	-	-	Safe
Cisco Search vendor "Cisco"	Rv345 Firmware Search vendor "Cisco" for product "Rv345 Firmware"	< 1.0.03.27 Search vendor "Cisco" for product "Rv345 Firmware" and version " < 1.0.03.27"	-	Affected	in	Cisco Search vendor "Cisco"	Rv345 Search vendor "Cisco" for product "Rv345"	-	-	Safe
Cisco Search vendor "Cisco"	Rv345p Firmware Search vendor "Cisco" for product "Rv345p Firmware"	< 1.0.03.27 Search vendor "Cisco" for product "Rv345p Firmware" and version " < 1.0.03.27"	-	Affected	in	Cisco Search vendor "Cisco"	Rv345p Search vendor "Cisco" for product "Rv345p"	-	-	Safe