Dump these small-biz routers, says Cisco, because we won't patch their flawed VPN
Nothing like an authentication bypass for your private IPSec network
Cisco patched three security vulnerabilities in its products this week, and said it will leave unpatched a VPN-hijacking flaw that affects four small business routers.
Those small-biz routers – the RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router – have reached their end-of-life (EoL) and the networking vendor is recommending customers upgrade to devices that aren't vulnerable. To give you an idea of the potential age of this kit, Cisco stopped selling the RV110W and RV130 in 2017, and ended support for them this year.
"Cisco has not released and will not release software updates to address the vulnerability described in this advisory," the supplier wrote in an advisory. "Customers are encouraged to migrate to Cisco Small Business RV132W, RV160, or RV160W Routers."
It also said that there are no workarounds to mitigate the flaw.
That vulnerability, tracked as CVE-2022-20923 with a severity rating of "medium," if exploited could enable an unauthenticated remote attacker to bypass authentication checks and freely access the device's IPSec VPN.
"The attacker may obtain privileges that are the same level as an administrative user, depending on the crafted credentials that are used," Cisco added. The flaw is the result of the improper implementation of a password validation algorithm, we're told.
For those not sure if they are at risk, businesses can determine if the IPSec VPN server feature is enabled on a router by logging into the web-based management interface and choosing VPN > IPSec VPN Server > Setup. If the "Server Enable" box is checked, the VPN server is enabled, exposing the device to the vulnerability.
Cisco said its Product Security Incident Response Team (PSIRT) has not seen any public disclosures about the vulnerability nor evidence that any cybercriminal has exploited the flaw.
Security flaws in legacy hardware and software technology are a point of contention between vendors and users, according to Dave Gerry, COO at Bugcrowd.
"As a best practice, technology products should be patched as available, and when the product is moved to end-of-life, the technology providers should enable customers to upgrade to newer, more secure devices and software," Gerry told The Register.
Often the decision comes down to the significance and severity of the vulnerability, Saeed Abbasi, principal security signature at Qualys, told The Register.
"Hardware and software have a very short lifecycle – like dairy products – and come with an expiration date," Abbasi said, adding that part of IT teams' job is to replace systems when they reach end of life. "However, unlike when it comes to dairy products, there is more tolerance for out-of-date hardware or software, meaning that it can still be used, but without the assurance of protection from the vendor."
Threat groups know that when a vendor public lists a product as EoL, there will be no more updates or patches for bugs, which a key reason why a majority of modern malware and viruses target vulnerabilities in old and outdated devices and software, he said. Attackers have tools and automated scanning that peruse networks for such flaws that they can exploit.
- Critical flaws found in four Cisco SMB router ranges – for the second time this year
- Microsoft's July Patch Tuesday fixes actively exploited bug
- Don't be surprised if your organization suffers multiple cyberattacks
- Cisco warns of security holes in its security appliances
Two of the vulnerabilities Cisco has patched carried severity ratings of "high."
A flaw in the Nvidia Data Plane Development Kit (MLNX_DPDK), tracked as CVE-2022-28199, involves error discovery in the DPDK network stack being improperly handled, which could enable a remote attacker to cause a denial-of-service (DoS) situation.
The products affected by the bug – which Nvidia disclosed August 29 – are the Catalyst 8000V edge software for enterprises and service providers, and the Adaptive Security Virtual Appliance and Secure Firewall Threat Defense Virtual (formerly FTDv), both security products.
"If an error condition is observed on the device interface, the device may either reload or fail to receive traffic, resulting in a denial of service (DoS) condition," Cisco wrote in its advisory.
Another high-severity vulnerability (CVE-2022-20696) that Cisco patched affected the binding configuration of Cisco Software-Defined WAN (SD-WAN) containers that would enable an unauthenticated and adjacent attacker who has access to the VPN0 logical network to also access the messaging service ports on vulnerable systems.
"This network may be restricted to protect logical or physical adjacent networks, depending on device deployment configuration," Cisco wrote in its advisory. "A successful exploit could allow the attacker to view and inject messages into the messaging service, which can cause configuration changes or cause the system to reload."
Cisco is telling organizations with versions 20.3 or earlier and between 20.6 and 20.9 to upgrade to a fixed release.
PSIRT said it found no announcements or exploitation of either flaw, though the unit knows that proof-of-concept exploit code is available to cybercriminals for the one in Nvidia's MLNX_DPDK.
In addition, Cisco issued a patch for a vulnerability (CVE-2022-20863 and rated "medium") in the Webex App that could allow an unauthenticated remote attacker to modify links or other content in the messaging interface, which could lead to phishing or spoofing attacks.
The flaw stemmed from the software not handling character rendering correctly. Webex App releases earlier than 42.7 should be updated. ®