cisco-sa-rv34x-privesc-rce-qe33tcms
Vulnerability from csaf_cisco
Published
2024-10-02 16:00
Modified
2024-10-02 16:00
Summary
Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Privilege Escalation and Remote Command Execution Vulnerabilities
Notes
Summary
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to elevate privileges and execute arbitrary commands on the underlying operating system of an affected device.
For more information about these vulnerabilities, see the Details ["#details"] section of this advisory.
Cisco has not released and will not release software updates that address these vulnerabilities because the affected products are past their respective dates for End of Software Maintenance Releases. The Cisco Product Security Incident Response Team (PSIRT) will continue to evaluate and disclose security vulnerabilities that affect these products until they reach their respective Last Dates of Support.
There are no workarounds that address these vulnerabilities.
Vulnerable Products
These vulnerabilities affect the following Cisco RV Series Small Business Routers:
RV340 Dual WAN Gigabit VPN Routers
RV340W Dual WAN Gigabit Wireless-AC VPN Routers
RV345 Dual WAN Gigabit VPN Routers
RV345P Dual WAN Gigabit PoE VPN Routers
Determine the Device Configuration
The web-based management interface of these devices is available through a local LAN connection, which cannot be disabled, or through the WAN connection if the remote management feature is enabled. By default, the remote management feature is disabled on these devices.
To determine whether the remote management feature is enabled on a device, open the web-based management interface and choose Basic Settings > Remote Management. If the Enable check box is checked, remote management is enabled on the device.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by these vulnerabilities.
Cisco has confirmed that these vulnerabilities do not affect the following Cisco RV Series Small Business Routers:
RV160 VPN Routers
RV160W Wireless-AC VPN Routers
RV260 VPN Routers
RV260P VPN Routers with PoE
RV260W Wireless-AC VPN Routers
Details
The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit the other vulnerability.
Details about the vulnerabilities are as follows:
CVE-2024-20393: Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Privilege Escalation Vulnerability
A vulnerability in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to elevate privileges on an affected device.
This vulnerability exists because the web-based management interface discloses sensitive information. An attacker could exploit this vulnerability by sending crafted HTTP input to an affected device. A successful exploit could allow an attacker to elevate privileges from guest to admin.
There are no workarounds that address this vulnerability.
Bug ID(s): CSCwm27935 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwm27935"]
CVE ID: CVE-2024-20393
Security Impact Rating (SIR): High
CVSS Base Score: 8.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2024-20470: Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Remote Code Execution Vulnerability
A vulnerability in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device. In order to exploit this vulnerability, the attacker must have valid admin credentials.
This vulnerability exists because the web-based management interface does not sufficiently validate user-supplied input. An attacker could exploit this vulnerability by sending crafted HTTP input to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system.
There are no workarounds that address this vulnerability.
Bug ID(s): CSCwk99655 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwk99655"]
CVE ID: CVE-2024-20470
Security Impact Rating (SIR): Medium
CVSS Base Score: 4.7
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Workarounds
There are no workarounds that address these vulnerabilities.
Fixed Software
Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers are past their respective dates for End of Software Maintenance Releases. For this reason, Cisco has not released and will not release software updates to address the vulnerabilities that are described in this advisory. Customers are advised to refer to the end-of-life notices for these products:
End-of-Sale and End-of-Life Announcement for the Cisco Small Business RV340 and RV345 Series ["https://www.cisco.com/c/en/us/products/collateral/routers/small-business-rv-series-routers/small-business-rv340-rv345-series-eol.html"]
End-of-Sale and End-of-Life Announcement for the Cisco RV 160, RV260, RV345P, RV340W, RV260W, RV260P and RV160W VPN Router ["https://www.cisco.com/c/en/us/products/collateral/routers/small-business-rv-series-routers/eos-eol-notice-c51-2655972.html"]
When considering a device migration, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page ["https://www.cisco.com/go/psirt"], to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the new products will be sufficient for their network needs, that the new devices contain sufficient memory, and that current hardware and software configurations will continue to be supported properly by the new product. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Vulnerability Policy
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Exploitation and Public Announcements
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
Source
Cisco would like to thank H4lo of Webin DBappSecurity for reporting these vulnerabilities.
Legal Disclaimer
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
{
"document": {
"acknowledgments": [
{
"summary": "Cisco would like to thank H4lo of Webin DBappSecurity for reporting these vulnerabilities."
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"notes": [
{
"category": "summary",
"text": "Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to elevate privileges and execute arbitrary commands on the underlying operating system of an affected device.\r\n\r\nFor more information about these vulnerabilities, see the Details [\"#details\"] section of this advisory.\r\n\r\nCisco has not released and will not release software updates that address these vulnerabilities because the affected products are past their respective dates for End of Software Maintenance Releases. The Cisco Product Security Incident Response Team (PSIRT) will continue to evaluate and disclose security vulnerabilities that affect these products until they reach their respective Last Dates of Support.\r\n\r\nThere are no workarounds that address these vulnerabilities.\r\n\r\n",
"title": "Summary"
},
{
"category": "general",
"text": "These vulnerabilities affect the following Cisco RV Series Small Business Routers:\r\n\r\nRV340 Dual WAN Gigabit VPN Routers\r\nRV340W Dual WAN Gigabit Wireless-AC VPN Routers\r\nRV345 Dual WAN Gigabit VPN Routers\r\nRV345P Dual WAN Gigabit PoE VPN Routers\r\n\r\nDetermine the Device Configuration\r\n\r\nThe web-based management interface of these devices is available through a local LAN connection, which cannot be disabled, or through the WAN connection if the remote management feature is enabled. By default, the remote management feature is disabled on these devices.\r\n\r\nTo determine whether the remote management feature is enabled on a device, open the web-based management interface and choose Basic Settings \u003e Remote Management. If the Enable check box is checked, remote management is enabled on the device.",
"title": "Vulnerable Products"
},
{
"category": "general",
"text": "Only products listed in the Vulnerable Products [\"#vp\"] section of this advisory are known to be affected by these vulnerabilities.\r\n\r\nCisco has confirmed that these vulnerabilities do not affect the following Cisco RV Series Small Business Routers:\r\n\r\nRV160 VPN Routers\r\nRV160W Wireless-AC VPN Routers\r\nRV260 VPN Routers\r\nRV260P VPN Routers with PoE\r\nRV260W Wireless-AC VPN Routers",
"title": "Products Confirmed Not Vulnerable"
},
{
"category": "general",
"text": "The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit the other vulnerability.\r\n\r\nDetails about the vulnerabilities are as follows:\r\n\r\nCVE-2024-20393: Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Privilege Escalation Vulnerability\r\n\r\nA vulnerability in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to elevate privileges on an affected device.\r\n\r\nThis vulnerability exists because the web-based management interface discloses sensitive information. An attacker could exploit this vulnerability by sending crafted HTTP input to an affected device. A successful exploit could allow an attacker to elevate privileges from guest to admin.\r\n\r\nThere are no workarounds that address this vulnerability.\r\n\r\nBug ID(s): CSCwm27935 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwm27935\"]\r\nCVE ID: CVE-2024-20393\r\nSecurity Impact Rating (SIR): High\r\nCVSS Base Score: 8.8\r\nCVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\r\n\r\nCVE-2024-20470: Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Remote Code Execution Vulnerability\r\n\r\nA vulnerability in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device. In order to exploit this vulnerability, the attacker must have valid admin credentials.\r\n\r\nThis vulnerability exists because the web-based management interface does not sufficiently validate user-supplied input. An attacker could exploit this vulnerability by sending crafted HTTP input to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system.\r\n\r\nThere are no workarounds that address this vulnerability.\r\n\r\nBug ID(s): CSCwk99655 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwk99655\"]\r\nCVE ID: CVE-2024-20470\r\nSecurity Impact Rating (SIR): Medium\r\nCVSS Base Score: 4.7\r\nCVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"title": "Details"
},
{
"category": "general",
"text": "There are no workarounds that address these vulnerabilities.",
"title": "Workarounds"
},
{
"category": "general",
"text": "Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers are past their respective dates for End of Software Maintenance Releases. For this reason, Cisco has not released and will not release software updates to address the vulnerabilities that are described in this advisory. Customers are advised to refer to the end-of-life notices for these products:\r\n\r\nEnd-of-Sale and End-of-Life Announcement for the Cisco Small Business RV340 and RV345 Series [\"https://www.cisco.com/c/en/us/products/collateral/routers/small-business-rv-series-routers/small-business-rv340-rv345-series-eol.html\"]\r\n\r\nEnd-of-Sale and End-of-Life Announcement for the Cisco RV 160, RV260, RV345P, RV340W, RV260W, RV260P and RV160W VPN Router [\"https://www.cisco.com/c/en/us/products/collateral/routers/small-business-rv-series-routers/eos-eol-notice-c51-2655972.html\"]\r\n\r\nWhen considering a device migration, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page [\"https://www.cisco.com/go/psirt\"], to determine exposure and a complete upgrade solution.\r\n\r\nIn all cases, customers should ensure that the new products will be sufficient for their network needs, that the new devices contain sufficient memory, and that current hardware and software configurations will continue to be supported properly by the new product. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.",
"title": "Fixed Software"
},
{
"category": "general",
"text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
"title": "Vulnerability Policy"
},
{
"category": "general",
"text": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.",
"title": "Exploitation and Public Announcements"
},
{
"category": "general",
"text": "Cisco would like to thank H4lo of Webin DBappSecurity for reporting these vulnerabilities.",
"title": "Source"
},
{
"category": "legal_disclaimer",
"text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.",
"title": "Legal Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@cisco.com",
"issuing_authority": "Cisco PSIRT",
"name": "Cisco",
"namespace": "https://wwww.cisco.com"
},
"references": [
{
"category": "self",
"summary": "Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Privilege Escalation and Remote Command Execution Vulnerabilities",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv34x-privesc-rce-qE33TCms"
},
{
"category": "external",
"summary": "Cisco Security Vulnerability Policy",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
},
{
"category": "external",
"summary": "CSCwm27935",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwm27935"
},
{
"category": "external",
"summary": "CSCwk99655",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwk99655"
},
{
"category": "external",
"summary": "End-of-Sale and End-of-Life Announcement for the Cisco Small Business RV340 and RV345 Series",
"url": "https://www.cisco.com/c/en/us/products/collateral/routers/small-business-rv-series-routers/small-business-rv340-rv345-series-eol.html"
},
{
"category": "external",
"summary": "End-of-Sale and End-of-Life Announcement for the Cisco RV 160, RV260, RV345P, RV340W, RV260W, RV260P and RV160W VPN Router",
"url": "https://www.cisco.com/c/en/us/products/collateral/routers/small-business-rv-series-routers/eos-eol-notice-c51-2655972.html"
},
{
"category": "external",
"summary": "Cisco Security Advisories page",
"url": "https://www.cisco.com/go/psirt"
},
{
"category": "external",
"summary": "Security Vulnerability Policy",
"url": "http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html"
}
],
"title": "Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Privilege Escalation and Remote Command Execution Vulnerabilities",
"tracking": {
"current_release_date": "2024-10-02T16:00:00+00:00",
"generator": {
"date": "2024-10-02T15:56:56+00:00",
"engine": {
"name": "TVCE"
}
},
"id": "cisco-sa-rv34x-privesc-rce-qE33TCms",
"initial_release_date": "2024-10-02T16:00:00+00:00",
"revision_history": [
{
"date": "2024-10-02T15:56:02+00:00",
"number": "1.0.0",
"summary": "Initial public release."
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_family",
"name": "Cisco Small Business RV Series Router Firmware",
"product": {
"name": "Cisco Small Business RV Series Router Firmware ",
"product_id": "CSAFPID-183630"
}
}
],
"category": "vendor",
"name": "Cisco"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-20393",
"ids": [
{
"system_name": "Cisco Bug ID",
"text": "CSCwm27935"
}
],
"notes": [
{
"category": "other",
"text": "Complete.",
"title": "Affected Product Comprehensiveness"
}
],
"product_status": {
"known_affected": [
"CSAFPID-183630"
]
},
"release_date": "2024-10-02T16:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Cisco has released software updates that address this vulnerability.",
"product_ids": [
"CSAFPID-183630"
],
"url": "https://software.cisco.com"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-183630"
]
}
],
"title": "Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Privilege Escalation Vulnerability"
},
{
"cve": "CVE-2024-20470",
"ids": [
{
"system_name": "Cisco Bug ID",
"text": "CSCwk99655"
}
],
"notes": [
{
"category": "other",
"text": "Complete.",
"title": "Affected Product Comprehensiveness"
}
],
"product_status": {
"known_affected": [
"CSAFPID-183630"
]
},
"release_date": "2024-10-02T16:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Cisco has released software updates that address this vulnerability.",
"product_ids": [
"CSAFPID-183630"
],
"url": "https://software.cisco.com"
}
],
"title": "Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Remote Code Execution Vulnerability"
}
]
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.