Prepared by Deepwatch Threat Intel Team
Key Points:
- Proof-of-Concept (PoC) exploit code was publicly released, and a pull request was sent to the Metasploit project for CVE-2022-20699, a critical vulnerability in Cisco RV340/RV345 series SSL VPN devices.
- A threat actor could exploit this vulnerability by sending malicious HTTP queries to a vulnerable SSL VPN Gateway device. If the exploit is successful, the attacker could gain remote code execution with root privileges on the target device.
- The Deepwatch Threat Intel Team assesses with moderate confidence that threat actors will exploit the vulnerability to perform remote code execution on vulnerable devices as a means to install cryptominers or as an initial foothold into an organization. With PoC exploit code released and remote services being one of the most prevalent attack methods in 2021 according to the Deepwatch Threat Intel Team, it is highly recommended that customers upgrade to the latest releases.
Overview:
Proof-of-concept (PoC) exploit code was publicly released, and a pull request was sent to the Metasploit project for a critical vulnerability, tracked as CVE-2022-20699, in Cisco RV340/RV345 series SSL VPN devices. An unauthenticated, remote threat actor could gain privileged arbitrary code execution if this vulnerability is exploited.
Vulnerability Details:
The vulnerability is introduced when processing specific HTTP requests due to insufficient boundary checks. As a result, a threat actor could execute code with root privileges on the vulnerable devices by sending malicious HTTP requests.
What Devices are Affected?
- RV340 Dual WAN Gigabit VPN Routers
- RV340W Dual WAN Gigabit Wireless-AC VPN Routers
- RV345 Dual WAN Gigabit VPN Routers
- RV345P Dual WAN Gigabit POE VPN Routers
Exploit Details:
The publicly available exploit chains two vulnerabilities to achieve remote code execution: CVE-2022-20699 and an improper memory configuration.
In addition to the PoC being publicly released, a pull request was sent to the Metasploit project on February 11, 2022, to introduce a module that would simplify exploitation using the Metasploit platform.
First, the exploit code and the Metasploit module take advantage of CVE-2022-20699 by sending specially crafted packets to the device that might cause a buffer overflow due to the function’s failure to handle extra data placed in the PACKET_IN buffer correctly. The exploit’s ensuing buffer overflow will overwrite the return address.
Once the stack overflow vulnerability has been exploited, the attack will use an inappropriate memory configuration vulnerability to get read, write, and execute rights to insert shellcode on the stack and execute it.
What Do I Need to Do?
Customers running RV340 and RV345 series routers should update to 1.0.03.26.
Can I Observe Exploitation?
Possibly. The shellcode in the PoC uses “execve()” to execute /bin/sh. It allows the threat actor to specify a host and port to establish interactive access to the compromised device via a reverse shell. Still, it’s unclear whether the exploit creates a parent-child relationship between the “sslvpnd” process and “/bin/sh.”
Checking for abnormal connections to TCP port 8443 on impacted devices, followed by abnormal outbound connections to internet routable IP addresses, may help discover exploitation.
Deepwatch Threat Intelligence Outlook
The Deepwatch Threat Intel Team assesses with moderate confidence that threat actors will exploit the vulnerability to perform remote code execution on vulnerable devices as a means to install cryptominers or as an initial foothold into an organization. With PoC exploit code released and remote services being one of the most prevalent attack methods in 2021 according to the Deepwatch Threat Intel Team, it is highly recommended that customers upgrade to the latest releases.
↑