Cisco Small Business RV Series Routers Vulnerabilities

Vulnerability

CVE-2022-20705 encompasses multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 series routers. These include a directory traversal in the NGINX web server when parsing the sessionid cookie (ZDI-22-409), improper input validation in the upload.cgi endpoint (ZDI-22-410), and an unrestricted file upload due to improper validation of the Authorization header in NGINX (ZDI-22-415). Affected products include RV160, RV260, RV340, and RV345 series routers running vulnerable firmware versions [1], [2], [3], [4].

Exploitation

An attacker can exploit these vulnerabilities from a network-adjacent position without authentication for the sessionid bypass (ZDI-22-409, ZDI-22-410). The exploitation involves sending crafted HTTP requests with a malicious sessionid cookie or Authorization header. The sessionid bypass can then be chained with the file upload vulnerability (ZDI-22-415) to upload arbitrary files, potentially leading to code execution [2], [3], [4].

Impact

A successful exploit can allow an attacker to bypass authentication, create arbitrary files (as the www-data user), execute arbitrary code, elevate privileges, execute arbitrary commands, fetch and run unsigned software, cause denial of service, and bypass authentication and authorization protections. The overall impact ranges from high confidentiality and integrity compromise to complete device takeover [1], [2], [3].

Mitigation

Cisco has released firmware updates to address these vulnerabilities. Users should upgrade to the latest fixed software version as specified in the Cisco Security Advisory [1]. No workarounds are available. For RV340 and RV345 series routers, ensure firmware is updated to a version that includes fixes for these vulnerabilities.