On-Prem

Networks

Cisco warns it won't fix critical flaw in small business routers despite known exploit

Software support ended in 2021, so we’re relying on SMBs knowing how to block ports


Cisco "has not and will not release software updates" to address a critical flaw in four small business routers, despite having spotted proof of concept code for an exploit.

The networking giant on Wednesday advised that its model RV016, RV042, RV042G, and RV082 routers are subject to CVE-2023-20025 – a critical-rated authentication bypass vulnerability – as well as the medium-severity rated remote command execution vulnerability CVE-2023-20026.

CVE-2023-20025 could allow an unauthenticated remote attacker to bypass authentication on an affected device, thanks to improper validation of user input within incoming HTTP packets.

"An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to bypass authentication and gain root access on the underlying operating system," Cisco's warning states.

CVE-2023-20026 is also an HTTP validation problem, but can only be triggered when attackers possess valid administrative credentials for the affected device.

Cisco won't update the devices, for two reasons.

One is that disabling remote management and blocking access to ports 443 and 60443 is a workaround that prevents exploitation of the flaws.

The other is that the devices have reached end of life. Cisco ended support for the RV082 and RV016 in 2021, and software maintenance ended for the RV042 and RV042G in the same year – but the hardware will be supported until 2025.

Now for the tricky part: Cisco is "aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory" but "is not aware of any malicious use of the vulnerabilities that are described in this advisory."

But given that criminals routinely hunt for easy-to-attack platforms, it surely won't be long before someone attempts to exploit these vulnerabilities.

Security experts often tell The Register that small businesses are not renowned for their infosec capabilities or diligence. So while the fix is relatively trivial for a technical user, many actual owners of these machines will have no idea how to block access to ports 443 and 60443. That is, if they even receive news of the flaws.

Throw in the fact that small routers often just work for years at a time without intervention, and it is almost certain some of these devices are ripe for attack – and will be for the foreseeable future. ®

Send us news
42 Comments

Russian spies may have moved in next door to target your network

Plus: Microsoft seizes phishing domains; Helldown finds new targets; Illegal streaming with Jupyter, and more

America's drinking water systems have a hard-to-swallow cybersecurity problem

More than 100M rely on gear rife with vulnerabilities, says EPA OIG

Open source router firmware project OpenWrt ships its own entirely repairable hardware

'Forever unbrickable' Wi-Fi 6 box from Banana Pi comes packaged or in kit form

Severity of the risk facing the UK is widely underestimated, NCSC annual review warns

National cyber emergencies increased threefold this year

Interpol nabs thousands, seizes millions in global cybercrime-busting op

Also, script kiddies still a threat, Tornado Cash is back, UK firms lose billions to avoidable attacks, and more

RansomHub claims to net data hat-trick against Bologna FC

Crooks say they have stolen sensitive files on managers and players

Man accused of hilariously bad opsec as alleged cybercrime spree detailed

Complaint claims he trespassed, gave himself discounts, and sorted CCTV access…

Another 'major cyber incident' at a UK hospital, outpatients asked to stay away

Third time this year an NHS unit's IT systems have come under attack

China’s tech giants deliver chips for Ethernet variant tuned to HPC and AI workloads

'Global Scheduling Ethernet' looks a lot like tech the Ultra Ethernet Consortium is also working on

Zabbix urges upgrades after critical SQL injection bug disclosure

US agencies blasted 'unforgivable' SQLi flaws earlier this year

AI ambition is pushing copper to its breaking point

Ayar Labs contends silicon photonics will be key to scaling beyond the rack and taming the heat

NHS major 'cyber incident' forces hospitals to use pen and paper

Systems are isolated and pulled offline, while scheduled procedures are canceled