Join today’s leading executives online at the Data Summit on March 9th. Register here.
The array of newly disclosed vulnerabilities in Cisco routers, including five with a “critical” severity rating, have increased cyber risk for businesses of all sizes, cybersecurity executives told VentureBeat.
Among the vulnerabilities are three that come with the highest possible severity rating—including a remote code execution (RCE) vulnerability and a flaw that allows remote users to elevate their privileges.
While the 15 vulnerabilities affect routers used by small and medium-sized businesses (SMBs), businesses large and small are intertwined from a security perspective in 2022. When an SMB doesn’t address a major security issue such as this—due, for instance, to lack of resources—this can spill over into becoming a problem for the enterprises they do business with.
“When SMBs get hacked, that can impact larger organizations,” said Matthew Warner, cofounder and chief technology officer at Blumira, in an email.
In the 2013 breach of Target, for instance, the attackers reportedly gained their initial access by hacking an HVAC contractor that had worked at Target locations. Rather than going after Target directly, the attackers breached the presumably less-protected contractor—and leveraged that to get access to Target’s environment, Warner said.
“It’s a common attack mechanism for threat actors to target MSPs or other SMBs that have broad access into a number of other bigger organizations for their access alone,” he said.
This week, Cisco disclosed the 15 vulnerabilities that have been discovered in its RV160, RV260, RV340, and RV345 Series Routers. Cisco said it has released patches for the vulnerabilities, and that there are no workarounds for the flaws.
Three of the flaws have been awarded the highest possible severity rating—10.0:
- CVE-2022-20699 is a vulnerability in the SSL VPN module of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers. The flaw can allow an unauthenticated attacker to remotely execute code on a vulnerable device, and can be exploited to acquire root privileges, Cisco said.
- CVE-2022-20700 is a vulnerability in the web interface used to manage Cisco Small Business RV Series Routers. The flaw can allow an attacker to remotely elevate their privileges to root, Cisco said.
- CVE-2022-20708 is a vulnerability in the web interface used to manage Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers. The flaw can allow an unauthenticated attacker to remotely inject and execute commands on the underlying Linux operating system, Cisco said.
The two other “critical” vulnerabilities are CVE-2022-20703—which can allow an unauthenticated local user to install malicious software, and has a severity rating of 9.3—and CVE-2022-20701, which carries a 9.0 rating and is related to the remote privilege escalation vulnerability (CVE-2022-20700).
In its advisory, Cisco noted that among the 15 vulnerabilities, some “are dependent on one another. Exploitation of one of the vulnerabilities may be required to exploit another vulnerability.”
The vulnerabilities are “very concerning” due to their severity and multiple attack vectors presented, said Tim Silverline, vice president of security at Gluware, in an email.
While SMBs that use the routers are the most directly affected by the vulnerabilities, SMBs often connect to enterprise partners via VPN tunnels, Silverline noted. “It could be another entry point into [the enterprise] network if those connections are not properly secured,” he said.
Thus, creating strong security policies at the enterprise border using positive enforcement or zero trust technologies “can help to mitigate most of the risk that these sorts of connections would pose,” Silverline said.
The disclosure comes at a time of particularly high attention on software vulnerabilities, following the reveal of the RCE flaw in Apache Log4j, a widely used Java logging component, in December. Other major vulnerabilities disclosed recently have included “PwnKit,” which affects a widely installed Linux program—polkit’s pkexec—and can be easily exploited for local privilege escalation.