Skip to content
  • Why Deepwatch?
    • Squad Delivery Model
    • Deepwatch Platform
    • Deepwatch Secure Score
    • Deepwatch Labs
  • Solutions
    • Managed Detection and Response (MDR)
      • MDR Enterprise
      • MDR Essentials
    • Managed Extended Detection Response (MXDR)
    • Endpoint Detection and Response (EDR)
    • Vulnerability Management (VM)
    • Firewall Management Solution
  • Company
    • About
    • Leadership
    • Careers
    • Contact
  • Partners
    • Channel Partners
    • Technology Alliance Partners
  • Resources
    • Resource Library
    • Blog
    • Case Studies
    • eBooks
    • Whitepapers
    • Datasheets
    • Video
    • Newsroom
    • Events
  • Search
  • Ready to Talk?
×

New Research Report: Security Leaders' Top Challenges & Priorities for 2023

Read Now
02.17.22

Customer Advisory | Exploit Code Released for Critical Cisco Vulnerability: CVE-2022-20699

By Deepwatch, 

Prepared by Deepwatch Threat Intel Team

Key Points:

  • Proof-of-Concept (PoC) exploit code was publicly released, and a pull request was sent to the Metasploit project for CVE-2022-20699, a critical vulnerability in Cisco RV340/RV345 series SSL VPN devices.
  • A threat actor could exploit this vulnerability by sending malicious HTTP queries to a vulnerable SSL VPN Gateway device. If the exploit is successful, the attacker could gain remote code execution with root privileges on the target device.
  • The Deepwatch Threat Intel Team assesses with moderate confidence that threat actors will exploit the vulnerability to perform remote code execution on vulnerable devices as a means to install cryptominers or as an initial foothold into an organization. With PoC exploit code released and remote services being one of the most prevalent attack methods in 2021 according to the Deepwatch Threat Intel Team, it is highly recommended that customers upgrade to the latest releases.

Overview:

Proof-of-concept (PoC) exploit code was publicly released, and a pull request was sent to the Metasploit project for a critical vulnerability, tracked as CVE-2022-20699, in Cisco RV340/RV345 series SSL VPN devices. An unauthenticated, remote threat actor could gain privileged arbitrary code execution if this vulnerability is exploited.

Vulnerability Details:

The vulnerability is introduced when processing specific HTTP requests due to insufficient boundary checks. As a result, a threat actor could execute code with root privileges on the vulnerable devices by sending malicious HTTP requests.

What Devices are Affected?

  • RV340 Dual WAN Gigabit VPN Routers
  • RV340W Dual WAN Gigabit Wireless-AC VPN Routers
  • RV345 Dual WAN Gigabit VPN Routers
  • RV345P Dual WAN Gigabit POE VPN Routers

Exploit Details:

The publicly available exploit chains two vulnerabilities to achieve remote code execution: CVE-2022-20699 and an improper memory configuration.

In addition to the PoC being publicly released, a pull request was sent to the Metasploit project on February 11, 2022, to introduce a module that would simplify exploitation using the Metasploit platform. 

First, the exploit code and the Metasploit module take advantage of CVE-2022-20699 by sending specially crafted packets to the device that might cause a buffer overflow due to the function’s failure to handle extra data placed in the PACKET_IN buffer correctly. The exploit’s ensuing buffer overflow will overwrite the return address.

Once the stack overflow vulnerability has been exploited, the attack will use an inappropriate memory configuration vulnerability to get read, write, and execute rights to insert shellcode on the stack and execute it.

What Do I Need to Do?

Customers running RV340 and RV345 series routers should update to 1.0.03.26.

Can I Observe Exploitation?

Possibly. The shellcode in the PoC uses “execve()” to execute /bin/sh. It allows the threat actor to specify a host and port to establish interactive access to the compromised device via a reverse shell. Still, it’s unclear whether the exploit creates a parent-child relationship between the “sslvpnd” process and “/bin/sh.”

Checking for abnormal connections to TCP port 8443 on impacted devices, followed by abnormal outbound connections to internet routable IP addresses, may help discover exploitation.

Deepwatch Threat Intelligence Outlook

The Deepwatch Threat Intel Team assesses with moderate confidence that threat actors will exploit the vulnerability to perform remote code execution on vulnerable devices as a means to install cryptominers or as an initial foothold into an organization. With PoC exploit code released and remote services being one of the most prevalent attack methods in 2021 according to the Deepwatch Threat Intel Team, it is highly recommended that customers upgrade to the latest releases.   

Subscribe to the Deepwatch Insights Blog

Post navigation

Previous post

Customer Advisory | Critical 0-Day Vulnerability in Adobe Commerce and Magento Open Source Platforms Under Active Exploitation

Next post

Customer Advisory | Cyber Attacks in Ukraine: What You Need to Know

Deepwatch

DENVER
OFFICE & SOC

7800 East Union Avenue
Suite 900
Denver, CO 80237 USA
855.303.3033

TAMPA
OFFICE & SOC

4030 W Boy Scout Blvd.
Suite 550
Tampa, FL 33607 USA
855.303.3033

[email protected]

Why Deepwatch

  • Squad Delivery Model
  • Deepwatch Platform
  • Deepwatch Secure Score
  • Deepwatch Labs

Solutions

  • Managed Detection and Response (MDR)
  • MDR Essentials
  • MDR Enterprise
  • Managed Extended Detection Response (MXDR)
  • Endpoint Detection and Response (EDR)
  • Vulnerability Management (VM)
  • Firewall Management Solution

Company

  • About Us
  • Leadership
  • Careers
  • Contact

Resources

  • Resource Library
  • Insights Blog
  • News
  • Events

Partners

  • Channel Partners
  • Technology Alliance Partners

Contact

  • Let's Talk
  • Customer Login
  • Partner Login
GDPR Badge PCI Badge SOC2 Badge TRUSTe
LinkedIn Twitter YouTube YouTube

© Copyright 2023 Deepwatch incorporated

Trust | Sitemap | Privacy Policy