Advisory: Cisco RV34X Series - Privilege Escalation in vpnTimer

TL;DR
we published an advisory on the Cisco RV series routersCisco has released an advisory for another bug we reported
Affected vendor & product | Cisco Small Business RV Series Router (www.cisco.com) |
Vulnerable version | RV34X 1.0.3.20 & below, |
Fixed version | RV34X series: 1.0.03.21. |
CVE IDs | CVE-2021-1520 |
Impact | 6.7 (medium) CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Credit | T. Shiomitsu, IoT Inspector Research Lab |
RV34X Privilege Escalation in vpnTimer (CVE-2021-1520)
nginx
www-data
vpnTimer
root
vpnTimer
process_timer()
sub process_timer() { while(1) { @sockets_ready = $select->can_read(1); if (! scalar(@sockets_ready)) { [...snip...] } else { #print("$cur_min : $cur_sec\n"); foreach $socket_new (@sockets_ready) { if (! recv($socket_new, $message, 1024, 0)) { print "Error reading from socket: $!\n"; } else { my $temp=substr($message,1,); [...snip...] if (index(substr($message,0,1),"+") == 0){ my $isTVPNC=`uci get strongswan.$temp`; chomp $isTVPNC; if ($isTVPNC eq "client"){ system("tvpnc_timer $temp &"); } else { my $interval=`uci get strongswan.$temp.keep_alive_interval`; chomp $interval; $conn_time{$temp}=$interval; addtimer($temp,$interval,1); }
$message
$temp
$message
substr
$message
$temp
vpnTimer
uci get strongwan.;touch /tmp/test;
/tmp/test
root
How Long Was This Bug There?
vpnTimer

vpnTimer
signal_handler()


vpnTimer
Key Takeaways
About Onekey
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of the automated ONEKEY Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

CONTACT:
Sara Fortmann
Senior Marketing Manager
sara.fortmann@onekey.com
euromarcom public relations GmbH
team@euromarcom.de
RELATED RESEARCH ARTICLES

Unblob 2024 Highlights: Sandboxing, Reporting, and Community Milestones
Explore the latest developments in Unblob, including enhanced sandboxing with Landlock, improved carving reporting, and χ² randomness analysis. Celebrate community contributions, academic research collaborations, and new format handlers, while looking forward to exciting updates in 2025.
%201.avif)
Critical Vulnerabilities in EV Charging Stations: Analysis of eCharge Controllers
Discover how severe security flaws, including unauthenticated remote command execution (CVE-2024-11665 & CVE-2024-11666), affect eCharge EV charging controllers. Learn about insecure firmware practices, cloud infrastructure issues, and actionable steps to mitigate risks in EV charging systems.

Security Advisory: Unauthenticated Command Injection in Mitel IP Phones
Discover critical vulnerabilities in Mitel SIP phones that allow unauthenticated command injection. Learn how outdated input parsing can expose your devices and why it's essential to scan firmware for security risks. Protect your network with our in-depth analysis and expert takeaways.
Ready to automate your Product Cybersecurity & Compliance?
Make cybersecurity and compliance efficient and effective with ONEKEY.