On-Prem

Networks

Cisco warns it won't fix critical flaw in small business routers despite known exploit

Software support ended in 2021, so we’re relying on SMBs knowing how to block ports


Cisco "has not and will not release software updates" to address a critical flaw in four small business routers, despite having spotted proof of concept code for an exploit.

The networking giant on Wednesday advised that its model RV016, RV042, RV042G, and RV082 routers are subject to CVE-2023-20025 – a critical-rated authentication bypass vulnerability – as well as the medium-severity rated remote command execution vulnerability CVE-2023-20026.

CVE-2023-20025 could allow an unauthenticated remote attacker to bypass authentication on an affected device, thanks to improper validation of user input within incoming HTTP packets.

"An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to bypass authentication and gain root access on the underlying operating system," Cisco's warning states.

CVE-2023-20026 is also an HTTP validation problem, but can only be triggered when attackers possess valid administrative credentials for the affected device.

Cisco won't update the devices, for two reasons.

One is that disabling remote management and blocking access to ports 443 and 60443 is a workaround that prevents exploitation of the flaws.

The other is that the devices have reached end of life. Cisco ended support for the RV082 and RV016 in 2021, and software maintenance ended for the RV042 and RV042G in the same year – but the hardware will be supported until 2025.

Now for the tricky part: Cisco is "aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory" but "is not aware of any malicious use of the vulnerabilities that are described in this advisory."

But given that criminals routinely hunt for easy-to-attack platforms, it surely won't be long before someone attempts to exploit these vulnerabilities.

Security experts often tell The Register that small businesses are not renowned for their infosec capabilities or diligence. So while the fix is relatively trivial for a technical user, many actual owners of these machines will have no idea how to block access to ports 443 and 60443. That is, if they even receive news of the flaws.

Throw in the fact that small routers often just work for years at a time without intervention, and it is almost certain some of these devices are ripe for attack – and will be for the foreseeable future. ®

Send us news
42 Comments

Cisco punts network-security integration as key for agentic AI

Getting it in might mean re-racking the entire datacenter and rebuilding the network, though

Cisco scores a perfect 10 - sadly for a critical flaw in its comms platform

The second max score this week for Netzilla - not a good look

Russia, hotbed of cybercrime, says nyet to ethical hacking bill

Politicians uneasy over potential impact on national security, local reports say

Britain's 5G experience 'among the worst in Europe' says MedUX

Official figures for network performance don't play out in user's reality, says monitoring biz

Suspected Chinese cybersnoop grounded in Italy after US tipoff

Zewei Xu's family reportedly bemused at arrest as extradition tabled

Amazon's latest Graviton 4 EC2 instances pack dual 300Gbps NICs

And no, that's not a typo

AMD warns of new Meltdown, Spectre-like bugs affecting CPUs

Low-severity bugs but infosec pros claim they are a 'critical' overall threat – patch accordingly

Trump's budget bill opens wide swath of spectrum for sale

Including frequencies that overlap with Wi-Fi 6E and private mobile networking

Scattered Spider crime spree takes flight as focus turns to aviation sector

Time ticking for defenders as social engineering pros weave wider web

HPE finally closes Juniper deal, but offers no details on what happens next

A big shrug to early integration questions

23andMe's new owner says your DNA is safe this time

Nonprofit TTAM assures everything is BAU. Whether that makes customers feel better is another matter

Cisco fixes two critical make-me-root bugs on Identity Services Engine components

A 10.0 and a 9.8 – these aren’t patches to dwell on