cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
495
Views
0
Helpful
2
Replies

RV340 Remote Code Execution issue and Suspicious TCP connections

jcf2005aa
Beginner
Beginner

Yesterday I ended up checking for new RV340 firmware and discovered the CIsco Security Advisory on the Authenticated Remote Code Execution Vulnerabilities. I downloaded and installed the new firmware, version 1.0.03.21.

 

However, with both previous firmware and the new firmware, I see connections in the TCP/IP Established Connections table which I do not understand. I am suspicious that these connections are related to the Remote Code Execution Vulnerability issue. The fact that I still see the strange entries AFTER updating the router to version 1.0.03.21 would suggest to me the possibility that some malware has been hidden in my router at a level escaping the firmware update.

 

I have attached a screenshot showing suspicious connections. The blacked-out IP addresses both contained the public IP address assigned to the router by my ISP. The screenshot was taken as soon as possible following reboot of the router, before any other deliberate network activity. (The foreign IP addresses shown are very suspicious - they are blocked by the Firefox browser.)

 

I would really love to hear a more benign explanation of these connections. If my router has possibly been rooted by malware, then is there a procedure to revert completely to a virgin factory image?

 

Thanks in advance for any help.

2 Replies 2

jcf2005aa
Beginner
Beginner

I haven't solved it but I did make an interesting observation. From the License page of the router Web GUI, if you perform a Refresh License State operation, that also results in a temporary entry in the TCP Connections table. The Local IP address is also the public IP assigned by my ISP, while the Foreign IP address is owned by Cisco (per ARIN lookup). So, while the License Refresh is legitimate, it produces a similar trace that my mysterious router start-up activity leaves behind.

jcf2005aa
Beginner
Beginner

Today I deployed a new RV345P router (for reasons not related to this issue). Before connecting it to the internet I upgraded the firmware to the latest version and during configuration I made sure there were no cracks in the firewall. Later I checked the TCP Established Connection Status, and wouldn't you know it? - there is an https connection from my public IP address to 172.105.222.138 in CLOSE_WAIT status.

 

If you get a chance, please check this table in your RV3xx router. If just a couple contributors post, we can deem this situation as normal (which I now suspect it is), then close this topic and move on to real issues!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers