Incorrect implementation of authentication algorithm in Cisco Systems, Inc products - CVE-2022-20923

 

Incorrect implementation of authentication algorithm in Cisco Systems, Inc products - CVE-2022-20923

Published: September 8, 2022


Vulnerability identifier: #VU67072
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-20923
CWE-ID: CWE-303
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
RV110W Wireless-N VPN Firewall
Cisco Small Business RV130 Series VPN Routers
RV130W Wireless-N Multifunction VPN Router
RV215W Wireless-N VPN Router

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in the password validation algorithm in IPSec VPN Server authentication functionality. A remote non-authenticated attacker can bypass authentication process and gain unauthorized access to the IPSec VPN network.


How to mitigate CVE-2022-20923

The affected routers are no longer supported by the vendor and Cisco will not release any security patches to address this vulnerability. It is recommended to replace the affected devices.


Sources