Cisco Small Business RV Series Routers Multiple Vulnerabilities (cisco-sa-sb-rv-bypass-inject-Rbhgvfdx) - Nessus

Critical   Plugin ID: 148652

This page contains detailed information about the Cisco Small Business RV Series Routers Multiple Vulnerabilities (cisco-sa-sb-rv-bypass-inject-Rbhgvfdx) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 148652
Name: Cisco Small Business RV Series Routers Multiple Vulnerabilities (cisco-sa-sb-rv-bypass-inject-Rbhgvfdx)
Filename: cisco-sa-sb-rv-bypass-inject-Rbhgvfdx.nasl
Vulnerability Published: 2021-04-07
This Plugin Published: 2021-04-15
Last Modification Time: 2022-02-03
Plugin Version: 1.15
Plugin Type: remote
Plugin Family: CISCO
Dependencies: cisco_rv_webui_detect.nbin, cisco_small_business_detect.nasl
Required KB Items [?]: Cisco/Small_Business_Router/Model, Cisco/Small_Business_Router/Version

Vulnerability Information

Severity: Critical
Vulnerability Published: 2021-04-07
Patch Published: 2021-04-07
CVE [?]: CVE-2021-1472, CVE-2021-1473
CPE [?]: cpe:/o:cisco:small_business_rv_series_routers_vulnerabilities

Synopsis

The remote device is missing a vendor-supplied security patch

Description

According to its self-reported version, Cisco Small Business RV Series Router Firmware is affected by multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345 and RV345P Routers which could allow an unauthenticated, remote attacker to execute arbitrary code or escalate their privileges on an affected system.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvw92538, CSCvw92718, CSCvw92723

Public Exploits

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, GitHub)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Cisco Small Business RV Series Routers Multiple Vulnerabilities (cisco-sa-sb-rv-bypass-inject-Rbhgvfdx) vulnerability:

  1. Metasploit: exploit/linux/http/cisco_rv_series_authbypass_and_rce
    [Cisco Small Business RV Series Authentication Bypass and Command Injection]
  2. GitHub: https://github.com/Sohrabian/special-cyber-security-topic
    [CVE-2021-1472]
  3. GitHub: https://github.com/zmylml/yangzifun
    [CVE-2021-1472]
  4. GitHub: https://github.com/Sohrabian/special-cyber-security-topic
    [CVE-2021-1473]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS Score Source [?]: CVE-2021-1473
CVSS V2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C
CVSS Base Score:7.5 (High)
Impact Subscore:6.4
Exploitability Subscore:10.0
CVSS Temporal Score:6.2 (Medium)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:6.2 (Medium)
CVSS V3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
CVSS Base Score:9.8 (Critical)
Impact Subscore:5.9
Exploitability Subscore:3.9
CVSS Temporal Score:9.1 (Critical)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:9.1 (Critical)
STIG Severity [?]: I
STIG Risk Rating: High

Go back to menu.

Plugin Source

This is the cisco-sa-sb-rv-bypass-inject-Rbhgvfdx.nasl nessus plugin source code. This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof. 

#TRUSTED 325966a4e392a09f3ff79958415c109d7cedfb1584b4f2a920c2012c94d71ba2ac7cc6be571027e4baf408851865ef13bb4f6c5f85feaf777c3a4cda1f450cfdc1f9d4b2ba410a7d667bbadcf62f2c9bd29f37557182b88e5c3b97ca4acc7f2489839ea48365fd6486e4bf5731f0acd3a2a6fbac65427be8dfc2009b31ba496adaf90b6fb33e2fc4202e06bc56e3c529522754fa48fb106bc40f437c9d37c05db54a058f7f06eb6d77f18b2b6222f3195d263c25c72363d74ba170136e848836e3557f67f5c31a67a692a1395c57690a1e272710b4ae3a4e666f8bc20b58147fb009d5ab881dc6e9e997d12d0f60e6de8a988f8a546b7232d10f9e2ffe0b4055ef905dbbbe57739018641989ef8044af8898ad83dc41d3c8e0b4b419859c28a2d93c7538c7786160b98ab5ba5bda8c0bea7039678bb5a6d78a983df638afbf060381779dd9b35cec4797c1ca78772869cfe2dbaeacbf269f4e13633c50d10faf2b80e896241dd0744d607a4ea92f80f1180cef19b1262d8d97caed4edcc29c1676556e969da379aca63b65ef94ca8e419874a8c0e6baeebc15b8b9bee4612a171d659377d1c6cf1b3ba64b68bab626091185c4f6e97f3bc6ce0dfa22d500163931f016eaf3fbc439ec7dfe7699f2e668a7de23e494539ef29db954f1882a7b97c76bb9eb67c25c3e3d21aff4b9a25f3afece378800a8b54dae83dc5893464cff
##
# (C) Tenable Network Security, Inc.
##

include('compat.inc');

if (description)
{
  script_id(148652);
  script_version("1.15");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/02/03");

  script_cve_id("CVE-2021-1472", "CVE-2021-1473");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvw92538");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvw92718");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvw92723");
  script_xref(name:"CISCO-SA", value:"cisco-sa-sb-rv-bypass-inject-Rbhgvfdx");
  script_xref(name:"IAVA", value:"2021-A-0161-S");

  script_name(english:"Cisco Small Business RV Series Routers Multiple Vulnerabilities (cisco-sa-sb-rv-bypass-inject-Rbhgvfdx)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco Small Business RV Series Router Firmware is affected by multiple
vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, RV260W, 
RV340, RV340W, RV345 and RV345P Routers which could allow an unauthenticated, remote attacker to execute arbitrary code 
or escalate their privileges on an affected system.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv-bypass-inject-Rbhgvfdx
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a8b63db7");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw92538");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw92718");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw92723");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvw92538, CSCvw92718, CSCvw92723");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-1473");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Cisco Small Business RV Series Authentication Bypass and Command Injection');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_cwe_id(119, 284);

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/04/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/04/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/04/15");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:small_business_rv_series_routers_vulnerabilities");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_small_business_detect.nasl", "cisco_rv_webui_detect.nbin");
  script_require_keys("Cisco/Small_Business_Router/Version", "Cisco/Small_Business_Router/Model");

  exit(0);
}

include('ccf.inc');

var product_info = cisco::get_product_info(name:'Cisco Small Business Series Router Firmware');
var model = toupper(product_info['model']);
var vuln_ranges = [];

if (model =~ "^RV(160W?|260[PW]?)")
  vuln_ranges = [{ 'min_ver' : '0', 'fix_ver' : '1.0.01.03' }]; 
else if (model =~ "^RV34(0W?|5P?)")
  vuln_ranges = [{ 'min_ver' : '0', 'fix_ver' : '1.0.03.21' }];
else
  audit(AUDIT_HOST_NOT, 'an affected Cisco Small Business RV Series router');

var reporting = make_array(
  'port'            , product_info['port'],
  'severity'        , SECURITY_HOLE,
  'version'         , product_info['version'],
  'bug_id'          , 'CSCvw92538, CSCvw92718, CSCvw92723',
  'disable_caveat'  , TRUE 
);

cisco::check_and_report(
  product_info:product_info, 
  reporting:reporting, 
  vuln_ranges:vuln_ranges
);

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/cisco-sa-sb-rv-bypass-inject-Rbhgvfdx.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\cisco-sa-sb-rv-bypass-inject-Rbhgvfdx.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/cisco-sa-sb-rv-bypass-inject-Rbhgvfdx.nasl

Go back to menu.

How to Run

Here is how to run the Cisco Small Business RV Series Routers Multiple Vulnerabilities (cisco-sa-sb-rv-bypass-inject-Rbhgvfdx) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select CISCO plugin family.
  6. On the right side table select Cisco Small Business RV Series Routers Multiple Vulnerabilities (cisco-sa-sb-rv-bypass-inject-Rbhgvfdx) plugin ID 148652.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl cisco-sa-sb-rv-bypass-inject-Rbhgvfdx.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a cisco-sa-sb-rv-bypass-inject-Rbhgvfdx.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - cisco-sa-sb-rv-bypass-inject-Rbhgvfdx.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state cisco-sa-sb-rv-bypass-inject-Rbhgvfdx.nasl -t <IP/HOST>

Go back to menu.

References

IAVA | Information Assurance Vulnerability Alert:
  • 2021-A-0161-S
Cisco Bug ID: Cisco Security Advisory: CWE | Common Weakness Enumeration:
  • CWE-119 (Weakness) Improper Restriction of Operations within the Bounds of a Memory Buffer
  • CWE-284 (Weakness) Improper Access Control
See also: Similar and related Nessus plugins:
  • 141830 - Cisco Firepower Threat Defense Software Web Services DoS (cisco-sa-asaftd-webdos-fBzM5Ynw)
  • 141831 - Cisco Adaptive Security Appliance Software Web Services DoS (cisco-sa-asaftd-webdos-fBzM5Ynw)
  • 142018 - Cisco IP Phones Web Server RCE and DOS (cisco-sa-20200205-voip-phones-rce-dos)
  • 142365 - Cisco SD-WAN vManage Software RCE (cisco-sa-vmanrce-4jtWT28P)
  • 142660 - Cisco SD-WAN vManage Software Authorization Bypass (cisco-sa-vmanuafw-ZHkdGGEy)
  • 143150 - Cisco Integrated Management Controller RCE (cisco-sa-ucs-api-rce-UXwpeDHd)
  • 143154 - Cisco IOS XE Software Packet Filtering Bypass (cisco-sa-cedge-filt-bypass-Y6wZMqm4)
  • 143155 - Cisco IOS XE SD-WAN Software Packet Filtering Bypass (cisco-sa-cedge-filt-bypass-Y6wZMqm4)
  • 143475 - Cisco Webex Meetings Information Disclosure (cisco-sa-webex-infodisc-4tvQzn4)
  • 144196 - Cisco IOS XE Software Wireless Controller for the Catalyst 9000 Family WPA Denial of Service (cisco-sa-wpa-dos-cXshjerc)
  • 145501 - Cisco SD-WAN vManage Information Disclosure (cisco-sa-sdwan-vinfdis-MC8L58dj)
  • 146211 - Cisco IOS XE Products Snort Application Detection Engine Policy Bypass (cisco-sa-snort-app-bypass-cSBYCATq)
  • 146212 - Cisco Firepower Threat Defense Snort Application Detection Engine Policy Bypass (cisco-sa-snort-app-bypass-cSBYCATq)
  • 146266 - Cisco Small Business RV Series Routers Management Interface Multiple Vulnerabilities (cisco-sa-rv-overflow-ghZP68yj)
  • 147876 - Cisco SD-WAN Solution Software Privilege Escalation (cisco-sa-vmpresc-SyzcS4kC)
  • 148296 - Cisco IOS Software for Industrial Routers Virtual LPWA Unauthorized Access (cisco-sa-ios-lpwa-access-cXsD7PRA)
  • 148447 - Cisco SD-WAN vManage Software Multiple Vulnerabilities (cisco-sa-vmanage-YuTVWqy)
  • 149299 - Cisco Adaptive Security Appliance Software Web Services Buffer Overflow DoS (cisco-sa-memc-dos-fncTyYKG)
  • 149300 - Cisco Firepower Threat Defense Software Web Services Buffer Overflow DoS (cisco-sa-memc-dos-fncTyYKG)
  • 149362 - Cisco SD-WAN vManage Software Information Disclosure (cisco-sa-sdwan-vmaninfdis3-OvdR6uu8)
  • 149454 - Cisco HyperFlex HX Command Injection Vulnerabilities (cisco-sa-hyperflex-rce-TjjNrkpR)
  • 149845 - Cisco Firepower Management Center Multiple Stored XSS (cisco-sa-fmc-stored-xss-djKfCzf2)
  • 149979 - Cisco HyperFlex HX Command Injection Direct Check (cisco-sa-hyperflex-rce-TjjNrkpR)
  • 150996 - Cisco Adaptive Security Appliance Software Multiple Vulnerabilities (cisco-sa-asaftd-xss-multiple-FCB3vPZe)
  • 150997 - Cisco Firepower Threat Defense Software Web Services Interface Multiple Vulnerabilities (cisco-sa-asaftd-xss-multiple-FCB3vPZe)
  • 151442 - Cisco ASA Software and FTD Software Web Services Interface XSS (cisco-sa-asaftd-xss-multiple-FCB3vPZe) (Direct Check)
  • 152213 - Cisco Small Business RV160 and RV260 Series VPN Routers RCE (cisco-sa-rv-code-execution-9UVJr7k4)
  • 153258 - Cisco Security Manager Java Deserialization (cisco-sa-csm-java-rce-mWJEedcD)
  • 157361 - Cisco Small Business RV Series Routers Multiple Vulnerabilities (cisco-sa-smb-mult-vuln-KA9PK6D)
  • 157903 - Cisco NX-OS Software MPLS OAM DoS (cisco-sa-nxos-mpls-oam-dos-sGO9x5GM)
  • 160400 - Cisco Identity Services Log4j Engine Remote Code Execution (cisco-sa-apache-log4j-qRuKNEbd)
  • 17781 - TCP Vulnerabilities in Multiple IOS-Based Cisco Products
  • 48965 - NTP Vulnerability - Cisco Systems
  • 48967 - Scanning for SSH Can Cause a Crash - Cisco Systems

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file cisco-sa-sb-rv-bypass-inject-Rbhgvfdx.nasl version 1.15. For more plugins, visit the Nessus Plugin Library.

Go back to menu.