CVE-2021-1520 - OpenCVE

A vulnerability in the internal message processing of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, local attacker to run arbitrary commands with root privileges on the underlying operating system (OS). This vulnerability exists because an internal messaging service does not properly sanitize input. An attacker could exploit this vulnerability by first authenticating to the device and then sending a crafted request to the internal service. A successful exploit could allow the attacker to run arbitrary commands with root privileges on the underlying OS. To exploit this vulnerability, the attacker must have valid Administrator credentials for the device.

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Cisco	Rv340w Firmware Rv340 Firmware Rv345p Rv340 Rv345 Rv345p Firmware Rv340w Rv345 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:cisco:rv340_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:cisco:rv340:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:cisco:rv340w_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:cisco:rv340w:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:cisco:rv345_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:cisco:rv345:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:cisco:rv345p_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:cisco:rv345p:-:*:*:*:*:*:*:*

References

Link	Resource
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-34x-privesc-GLN8ZAQE	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: cisco

Published: 2021-05-05T00:00:00

Updated: 2021-05-06T12:51:16

Reserved: 2020-11-13T00:00:00

Link: CVE-2021-1520

JSON object: View

NVD Information

Status : Modified

Published: 2021-05-06T13:15:11.027

Modified: 2023-11-07T03:28:30.407

Link: CVE-2021-1520

JSON object: View

Redhat Information

No data.

CWE

CWE-123

{"containers": {"cna": {"affected": [{"product": "Cisco Small Business RV Series Router Firmware ", "vendor": "Cisco", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2021-05-05T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in the internal message processing of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, local attacker to run arbitrary commands with root privileges on the underlying operating system (OS). This vulnerability exists because an internal messaging service does not properly sanitize input. An attacker could exploit this vulnerability by first authenticating to the device and then sending a crafted request to the internal service. A successful exploit could allow the attacker to run arbitrary commands with root privileges on the underlying OS. To exploit this vulnerability, the attacker must have valid Administrator credentials for the device."}], "exploits": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. "}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-123", "description": "CWE-123", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-06T12:51:16", "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco"}, "references": [{"name": "20210505 Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Local Privilege Escalation Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-34x-privesc-GLN8ZAQE"}], "source": {"advisory": "cisco-sa-rv-34x-privesc-GLN8ZAQE", "defect": [["CSCvx36281"]], "discovery": "INTERNAL"}, "title": "Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Local Privilege Escalation Vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@cisco.com", "DATE_PUBLIC": "2021-05-05T16:00:00", "ID": "CVE-2021-1520", "STATE": "PUBLIC", "TITLE": "Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Local Privilege Escalation Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cisco Small Business RV Series Router Firmware ", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "Cisco"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the internal message processing of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, local attacker to run arbitrary commands with root privileges on the underlying operating system (OS). This vulnerability exists because an internal messaging service does not properly sanitize input. An attacker could exploit this vulnerability by first authenticating to the device and then sending a crafted request to the internal service. A successful exploit could allow the attacker to run arbitrary commands with root privileges on the underlying OS. To exploit this vulnerability, the attacker must have valid Administrator credentials for the device."}]}, "exploit": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. "}], "impact": {"cvss": {"baseScore": "6.7", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H ", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-123"}]}]}, "references": {"reference_data": [{"name": "20210505 Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Local Privilege Escalation Vulnerability", "refsource": "CISCO", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-34x-privesc-GLN8ZAQE"}]}, "source": {"advisory": "cisco-sa-rv-34x-privesc-GLN8ZAQE", "defect": [["CSCvx36281"]], "discovery": "INTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "assignerShortName": "cisco", "cveId": "CVE-2021-1520", "datePublished": "2021-05-05T00:00:00", "dateReserved": "2020-11-13T00:00:00", "dateUpdated": "2021-05-06T12:51:16", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:cisco:rv340_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "DB20DECC-5D66-4E87-8E19-AFCE0EC2538B", "versionEndExcluding": "1.0.03.21", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:cisco:rv340:-:*:*:*:*:*:*:*", "matchCriteriaId": "2A4411AC-2A74-4315-BA6B-D7E1AA538BDB", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:cisco:rv340w_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "F1D3E083-7BC2-485B-82CD-CE3DE176A047", "versionEndExcluding": "1.0.03.21", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:cisco:rv340w:-:*:*:*:*:*:*:*", "matchCriteriaId": "21E55019-F969-4ACD-A6C8-1D2EE05F8EE4", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:cisco:rv345_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "504FBEF9-DCC1-4EE2-9F04-14E38141A03C", "versionEndExcluding": "1.0.03.21", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:cisco:rv345:-:*:*:*:*:*:*:*", "matchCriteriaId": "5E91E68B-CBE9-462E-82D4-6F588B8E84E8", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:cisco:rv345p_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C7C3346-DD1A-41CC-BB4D-F42CCE75A928", "versionEndExcluding": "1.0.03.21", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:cisco:rv345p:-:*:*:*:*:*:*:*", "matchCriteriaId": "5120BAB7-FB3A-481E-9ECD-48341846AFBD", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A vulnerability in the internal message processing of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, local attacker to run arbitrary commands with root privileges on the underlying operating system (OS). This vulnerability exists because an internal messaging service does not properly sanitize input. An attacker could exploit this vulnerability by first authenticating to the device and then sending a crafted request to the internal service. A successful exploit could allow the attacker to run arbitrary commands with root privileges on the underlying OS. To exploit this vulnerability, the attacker must have valid Administrator credentials for the device."}, {"lang": "es", "value": "Una vulnerabilidad en el procesamiento interno de mensajes de Cisco RV340, RV340W, RV345, y RV345P Dual WAN Gigabit VPN Routers, podr\u00eda permitir a un atacante local autenticado ejecutar comandos arbitrarios con privilegios root en el Sistema Operativo (SO) subyacente. Esta vulnerabilidad se presenta porque un servicio de mensajer\u00eda interna no sanea apropiadamente la entrada. Un atacante podr\u00eda explotar esta vulnerabilidad si se autentica primero en el dispositivo y luego env\u00eda una petici\u00f3n dise\u00f1ada hacia el servicio interno. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante ejecutar comandos arbitrarios con privilegios root en el Sistema Operativo subyacente. Para explotar esta vulnerabilidad, el atacante debe tener credenciales de administrador v\u00e1lidas para el dispositivo"}], "id": "CVE-2021-1520", "lastModified": "2023-11-07T03:28:30.407", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "ykramarz@cisco.com", "type": "Secondary"}]}, "published": "2021-05-06T13:15:11.027", "references": [{"source": "ykramarz@cisco.com", "tags": ["Vendor Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-34x-privesc-GLN8ZAQE"}], "sourceIdentifier": "ykramarz@cisco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-123"}], "source": "ykramarz@cisco.com", "type": "Primary"}]}