CVE-2022-20827 Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause a DoS.

These vulnerabilities are due to weaknesses in processing code that is generated by the router. An attacker could exploit these vulnerabilities to execute code on the device or cause the device to crash, resulting in a denial of service. Cisco has released software updates that address these vulnerabilities for all affected Cisco Small Business RV Series Routers.

CVE-2018-0171: Heap-based memory corruption issue Cisco Small Business RV Series Routers running software releases 1.0.0 to 1.0.10 could allow an unauthenticated attacker to cause a denial of service (DoS) condition by injecting malicious code into web server processes that are running on the device. The vulnerability exists because the code that is generated by the router does not limit the size of data that is processed. An attacker could exploit this vulnerability by sending a series of messages to a web server on the router. Cisco has released software updates that address this vulnerability for all affected Cisco Small Business RV Series Routers.

CVE-2018-0172: HTTPoxy vulnerability Cisco Small Business RV Series Routers running software releases 1.0.0 to 1.0.10 could allow an unauthenticated attacker to cause a denial of service (DoS) condition by sending a series of requests with invalid HTTP headers to a web server running on the router. The vulnerability exists because the code that is generated by the router does not properly parse HTTP requests

Cisco has confirmed these vulnerabilities on the Cisco Small Business RV Series Routers

How do I know if my device is affected?

Cisco has released software updates that address these vulnerabilities for all affected Cisco Small Business RV Series Routers. To determine if your device is running one of the affected releases, check the version number on the router's web interface. For example, a device running release 2.1.14 would have a version number of 201c0 and not 2.1.14 as shown in the screenshot below:

If you are using one of these routers please contact Cisco to obtain updated firmware, instructions and guidance on how to do this are provided here
http://www.cisco.com/go/sbrouter

Cisco has released software updates to address these vulnerabilities

Cisco has released software updates that address these vulnerabilities for all affected Cisco Small Business RV Series Routers.

Timeline

Published on: 08/10/2022 09:15:00 UTC
Last modified on: 08/12/2022 18:07:00 UTC

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-mult-vuln-CbVp4SUR
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-20827