Cisco released a security advisory to address critical severity vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, and RV082 Routers (CVE-2023-20025 & CVE-2023-20026). On successful exploitation, these vulnerabilities could allow a remote attacker to bypass authentication or execute arbitrary commands on affected devices.
Hou Liuyang of Qihoo 360 Netlab has discovered both vulnerabilities.
Cisco Small Business RV016, RV042, RV042G, and RV082 Routers have entered the end-of-life process. Customers can refer to the end-of-life notices for these products:
- End-of-Sale and End-of-Life Announcement for the Cisco RV016 Multi-WAN VPN Router
- End-of-Sale and End-of-Life Announcement for the Cisco RV042 and RV042G VPN Router (all models)
- End-of-Sale and End-of-Life Announcement for the Cisco RV082 Dual WAN VPN Router
CVE-2023-20025: Cisco Small Business RV016, RV042, RV042G, and RV082 Routers Authentication Bypass Vulnerability
The vulnerability arises from improper user input validation within incoming HTTP packets. This vulnerability can be exploited without any authentication. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface.
This vulnerability could allow attackers to bypass authentication and gain root access on the underlying operating system on successful exploitation.
This vulnerability is being exploited in the wild. Cisco has mentioned in the advisory that they are aware that proof-of-concept exploit code is publicly available, but not aware of any malicious use of these vulnerabilities.
CVE-2023-20026: Cisco Small Business RV016, RV042, RV042G, and RV082 Routers Remote Command Execution Vulnerability
The vulnerability originates from improper user input validation within incoming HTTP packets. Valid administrative credentials are required to exploit this vulnerability. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface.
On successful exploitation, this vulnerability could allow an attacker to gain root-level privileges and access unauthorized data.
Affected products
- RV042 Dual WAN VPN Routers
- RV082 Dual WAN VPN Routers
- RV016 Multi-WAN VPN Routers
- RV042G Dual Gigabit WAN VPN Routers
Mitigation
“Cisco has not released and will not release software updates to address the vulnerabilities CVE-2023-20025 & CVE-2023-20026,” Cisco mentioned in the advisory.
Customers can refer to the official Cisco Security Advisory (cisco-sa-sbr042-multi-vuln-ej76Pke5) for more information about the vulnerabilities.
Workaround
The advisory says, “There are no workarounds that address these vulnerabilities. However, administrators can mitigate the vulnerabilities by disabling remote management and blocking access to ports 443 and 60443. The routers will still be accessible through the LAN interface after the mitigation has been implemented.”
Disable Remote Management
Perform the following steps to disable remote management:
- Log in to the web-based management interface for the device.
- Select Firewall > General.
- Uncheck the Remote Management check box.
Block Access to Ports 443 and 60443
Start by adding a new service to the device’s access rules for port 60443. Since port 443 is already listed in the services list, there is no need to build a service.
Here are the steps:
- Log in to the web-based management interface for the device.
- Choose Firewall > Access Rules.
- Click Service Management.
- In the Service Name field, enter TCP-60443.
- From the Protocol drop-down list, choose TCP.
- In both Port Range fields, enter 60443.
- Click Add to List.
- Click OK.
To block ports 443 and 60443, define access rules as the next step. Here are the steps required to create an access rule to block port 443:
- Log in to the web-based management interface for the device.
- Choose Firewall > Access Rules.
- Click Add.
- From the Action drop-down list, choose Deny.
- From the Service drop-down list, choose HTTPS (TCP 443-443).
- From the Log drop-down list, choose Log packets match this rule.
- From the Source Interface drop-down list, choose the option that matches the WAN connection on the device.
- From the Source IP drop-down list, choose Any.
- From the Destination IP drop-down list, choose Single.
- In both Destination IP fields, enter the WAN IP address.
- Click Save.
To create an access rule to block port 60443, you can just repeat the steps mentioned above, but for Step 5, choose HTTPS (TCP 60443-60443) from the Service drop-down list.
NOTE: Two additional ACL rules need to be set up using the WAN number and IP address for the second WAN port when a second WAN port is being used.
Qualys Detection
Qualys customers can scan their devices with QID 730693 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.
References
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbr042-multi-vuln-ej76Pke5