On-Prem

Networks

Cisco warns it won't fix critical flaw in small business routers despite known exploit

Software support ended in 2021, so we’re relying on SMBs knowing how to block ports


Cisco "has not and will not release software updates" to address a critical flaw in four small business routers, despite having spotted proof of concept code for an exploit.

The networking giant on Wednesday advised that its model RV016, RV042, RV042G, and RV082 routers are subject to CVE-2023-20025 – a critical-rated authentication bypass vulnerability – as well as the medium-severity rated remote command execution vulnerability CVE-2023-20026.

CVE-2023-20025 could allow an unauthenticated remote attacker to bypass authentication on an affected device, thanks to improper validation of user input within incoming HTTP packets.

"An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to bypass authentication and gain root access on the underlying operating system," Cisco's warning states.

CVE-2023-20026 is also an HTTP validation problem, but can only be triggered when attackers possess valid administrative credentials for the affected device.

Cisco won't update the devices, for two reasons.

One is that disabling remote management and blocking access to ports 443 and 60443 is a workaround that prevents exploitation of the flaws.

The other is that the devices have reached end of life. Cisco ended support for the RV082 and RV016 in 2021, and software maintenance ended for the RV042 and RV042G in the same year – but the hardware will be supported until 2025.

Now for the tricky part: Cisco is "aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory" but "is not aware of any malicious use of the vulnerabilities that are described in this advisory."

But given that criminals routinely hunt for easy-to-attack platforms, it surely won't be long before someone attempts to exploit these vulnerabilities.

Security experts often tell The Register that small businesses are not renowned for their infosec capabilities or diligence. So while the fix is relatively trivial for a technical user, many actual owners of these machines will have no idea how to block access to ports 443 and 60443. That is, if they even receive news of the flaws.

Throw in the fact that small routers often just work for years at a time without intervention, and it is almost certain some of these devices are ripe for attack – and will be for the foreseeable future. ®

Send us news
42 Comments

Cisco whips up modded switch to secure Ukraine grid against Russian cyberattacks

GPS-jamming tactics were doing much more than simply scrambling missile guidance systems

Cisco has a new problem: You take too long to implement its products and stop buying more kit

Supply chain is back to pre-COVID normal, just in time for big clouds to spend $1 billion on networks for AI

Nvidia intros the 'SuperNIC' – it's like a SmartNIC, DPU or IPU, but more super

If you're doing AI but would rather not do InfiniBand, this NIC is for you

UK and US lead international efforts to raise AI security standards

17 countries agree to adopt vision for artificial intelligence security as fears mount over pace of development

Russian national pleads guilty to building now-dismantled IPStorm proxy botnet

23K nodes earned operator more than $500K – and now perhaps jail time

Industry piles in on North Korea for sustained rampage on software supply chains

Kim’s cyber cronies becoming more active, sophisticated in attempts to pwn global orgs

NCSC says cyber-readiness of UK’s critical infrastructure isn’t up to scratch

And the world's getting more and more dangerous

Leader of pro-Russia DDoS crew Killnet 'unmasked' by Russian state media

Also: NXP China attack, Australia can't deliver on ransom payment ban (yet), and Justin Sun's very bad month

US nuke reactor lab hit by 'gay furry hackers' demanding cat-human mutants

Staff records swiped, leaked by gang who probably read one too many comics, sorry, graphic novels

Your password hygiene remains atrocious, says NordPass

ALSO: FCC cracks down on SIM-swap scams, old ZeroLogon targeted by new ransomware, and critical vulnerabilities

Trio of major holes in ownCloud expose admin passwords, allow unauthenticated file mods

Mitigations require mix of updating libraries and manual customer action

OpenCart owner turns air blue after researcher discloses serious vuln

Web storefront maker fixed the flaw, but not before blasting infoseccer