Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
706
Views
0
Helpful
2
Replies

RV340 Remote Code Execution issue and Suspicious TCP connections

jcf2005aa
Level 1
Level 1

‎04-09-2021 09:06 AM - edited ‎04-09-2021 02:26 PM

Yesterday I ended up checking for new RV340 firmware and discovered the CIsco Security Advisory on the Authenticated Remote Code Execution Vulnerabilities. I downloaded and installed the new firmware, version 1.0.03.21.

 

However, with both previous firmware and the new firmware, I see connections in the TCP/IP Established Connections table which I do not understand. I am suspicious that these connections are related to the Remote Code Execution Vulnerability issue. The fact that I still see the strange entries AFTER updating the router to version 1.0.03.21 would suggest to me the possibility that some malware has been hidden in my router at a level escaping the firmware update.

 

I have attached a screenshot showing suspicious connections. The blacked-out IP addresses both contained the public IP address assigned to the router by my ISP. The screenshot was taken as soon as possible following reboot of the router, before any other deliberate network activity. (The foreign IP addresses shown are very suspicious - they are blocked by the Firefox browser.)

 

I would really love to hear a more benign explanation of these connections. If my router has possibly been rooted by malware, then is there a procedure to revert completely to a virgin factory image?

 

Thanks in advance for any help.

Labels:
Preview file
99 KB
0 Helpful
2 Replies 2

jcf2005aa
Level 1
Level 1

‎04-09-2021 11:43 AM

I haven't solved it but I did make an interesting observation. From the License page of the router Web GUI, if you perform a Refresh License State operation, that also results in a temporary entry in the TCP Connections table. The Local IP address is also the public IP assigned by my ISP, while the Foreign IP address is owned by Cisco (per ARIN lookup). So, while the License Refresh is legitimate, it produces a similar trace that my mysterious router start-up activity leaves behind.

0 Helpful

jcf2005aa
Level 1
Level 1

‎04-11-2021 06:06 PM

Today I deployed a new RV345P router (for reasons not related to this issue). Before connecting it to the internet I upgraded the firmware to the latest version and during configuration I made sure there were no cracks in the firewall. Later I checked the TCP Established Connection Status, and wouldn't you know it? - there is an https connection from my public IP address to 172.105.222.138 in CLOSE_WAIT status.

 

If you get a chance, please check this table in your RV3xx router. If just a couple contributors post, we can deem this situation as normal (which I now suspect it is), then close this topic and move on to real issues!

0 Helpful
Customers Also Viewed These Support Documents