Privilege Escalation and Remote Code Execution Threaten Cisco Routers: No Updates Available
In a recent security advisory, Cisco revealed multiple vulnerabilities impacting its Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers, which could potentially expose businesses to serious security risks. The advisory warns that an authenticated, remote attacker could exploit these flaws to escalate privileges and execute arbitrary commands on the affected devices, posing a threat to the integrity and security of small business networks. These vulnerabilities, tracked as CVE-2024-20393 and CVE-2024-20470, have been rated with CVSS scores of 8.8 and 4.7, respectively.
The advisory outlines two vulnerabilities:
- CVE-2024-20393 – Privilege Escalation Vulnerability: This high-severity flaw allows a remote attacker to escalate privileges from a guest to an admin account on the router. The vulnerability is rooted in the web-based management interface, which improperly discloses sensitive information. Exploiting this flaw requires sending crafted HTTP input to the device, allowing an attacker to gain unauthorized administrative control. Cisco highlights that “this vulnerability exists because the web-based management interface discloses sensitive information.”
- CVE-2024-20470 – Remote Command Execution Vulnerability: This medium-severity flaw enables attackers with valid admin credentials to execute arbitrary code on the underlying operating system of the affected router. The vulnerability is due to insufficient validation of user-supplied input within the web-based management interface. By sending crafted HTTP input, an attacker could exploit this flaw to execute arbitrary commands with root privileges. Cisco warns that “a successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system.”
The following devices are vulnerable to these issues:
- RV340 Dual WAN Gigabit VPN Routers
- RV340W Dual WAN Gigabit Wireless-AC VPN Routers
- RV345 Dual WAN Gigabit VPN Routers
- RV345P Dual WAN Gigabit PoE VPN Routers
Businesses are encouraged to check the configuration of their routers to ensure that the remote management feature is disabled, as this could reduce exposure. Cisco explains, “The web-based management interface of these devices is available through a local LAN connection, which cannot be disabled, or through the WAN connection if the remote management feature is enabled. By default, the remote management feature is disabled.”
Unfortunately, Cisco has confirmed that there are no available workarounds for either vulnerability. Making matters worse, the routers affected by these vulnerabilities have already passed their respective End-of-Software-Maintenance deadlines, meaning Cisco will not be releasing software updates to patch these flaws. As a result, small businesses using these devices remain exposed to potential attacks.
Cisco’s Product Security Incident Response Team (PSIRT) has stated, “Cisco has not released and will not release software updates that address these vulnerabilities because the affected products are past their respective dates for End of Software Maintenance Releases.”
Given that there are no software patches or workarounds available, Cisco recommends that businesses refer to the end-of-life notices for these products and consider upgrading to newer devices that still receive active security updates. While there is no evidence that these vulnerabilities have been exploited in the wild yet, their disclosure puts affected businesses on alert.
The absence of updates and workarounds presents a significant security challenge for organizations using these routers. Immediate action, including transitioning to more secure devices, should be a priority for maintaining network security and preventing potential breaches.