module
Cisco Small Business RV Series Authentication Bypass and Command Injection
| Disclosed |
|---|
| Apr 7, 2021 |
Disclosed
Apr 7, 2021
Description
This module exploits an authentication bypass (CVE-2021-1472) and command injection (CVE-2021-1473)
in the Cisco Small Business RV series of VPN/routers. The device does not adequately verify the
credentials in the HTTP Authorization field when requests are made to the /upload endpoint. Then
the upload.cgi binary will use the contents of the HTTP Cookie field as part of a `curl` request
aimed at an internal endpoint. The curl request is executed using `popen` and allows the attacker
to inject commands via the Cookie field.
A remote and unauthenticated attacker using this module is able to achieve code execution as `www-data`.
This module affects the RV340, RV340w, RV345, and RV345P using firmware versions 1.0.03.20 and below.
in the Cisco Small Business RV series of VPN/routers. The device does not adequately verify the
credentials in the HTTP Authorization field when requests are made to the /upload endpoint. Then
the upload.cgi binary will use the contents of the HTTP Cookie field as part of a `curl` request
aimed at an internal endpoint. The curl request is executed using `popen` and allows the attacker
to inject commands via the Cookie field.
A remote and unauthenticated attacker using this module is able to achieve code execution as `www-data`.
This module affects the RV340, RV340w, RV345, and RV345P using firmware versions 1.0.03.20 and below.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.