Owner security

Cisco won’t patch router flaws, citing end-of-life

Anyone who uses decade-old Cisco Small Business RV110W, RV130, RV130W, and RV215W routers may want to upgrade to newer models sooner rather than later. Cisco said it will not provide a patch for a vulnerability found in routers’ IPSec VPN server authentication because the routers have reached their end of life.

“This vulnerability is due to improper implementation of the password validation algorithm,” Cisco said in an advisory.

By connecting to the VPN from an affected device with specially crafted credentials, an attacker could bypass authentication and gain access to the IPSec VPN network. “The attacker can obtain privileges of the same level as an administrative user, depending on the crafted credentials that are used,” the advisory explains.

Cisco’s decision not to offer a fix for the flaw is not unusual. “Vendors generally don’t patch end-of-life vulnerabilities, but that logic usually depends on the importance and severity of the vulnerability found, for example, BlueKeep patch by Microsoft,” said Saeed Abbasi, Principal Security Signature Engineer at Qualys. “In this case, the vulnerability is severe; however, the devices are extremely old. As such, users need to upgrade to new devices. »

Indeed, this is what Cisco recommended. Users, the company said, “should migrate to the Cisco Small Business RV132W, RV160, or RV160W routers.”

This most recent advisory highlights the difficulties of computer security in the face of security issues as technology ages. “Security vulnerabilities in legacy technologies, both hardware and software, continue to be a point of contention between security vendors and users,” said Dave Gerry, COO at Bugcrowd.

“Firmware vulnerabilities in older networking equipment can be problematic, especially when the device is no longer part of the manufacturer’s supported lineup,” said Mike Parkin, senior technical engineer at Vulcan Cyber.

As a best practice, Gerry said, “Technology products should be patched as soon as they become available and when the product is moved to end of life, technology vendors should allow customers to upgrade to newer devices and software and more secure”.

Hardware and software life cycles are typically short — like dairy products — and come with an expiration date, Abbasi said.

“Part of the role of IT teams is to replace workstations, servers, routers, switches, phones, etc. when they reach end of life (EOL),” he said. “However, unlike dairy, there is more tolerance for outdated hardware or software. This means that it can still be used but without the assurance of provider protection.

This is especially a problem in this case where routers are still sold elsewhere. “Although Cisco has declared these devices end-of-life, they are still available on the used market and there are undoubtedly many more in use in the small and medium-sized business (SMB) space,” Parkin said.

And threat actors are actively looking for opportunities like this to exploit older equipment. “The majority of malware and viruses today target vulnerabilities in old and outdated devices and software,” Abassi said. “When a manufacturer publicly lists an EOL for a product, attackers know they will no longer provide updates for bugs and vulnerabilities found.”

They feed “on the fact that security teams are overloaded and often do not have time to maintain perfect hygiene, attackers turn to software / hardware EOL as one of the first vectors to gain a foothold on the network of a business,” he said. “Attackers have even created tools and automated scans that scour networks for such vulnerabilities and take advantage of them.”

“Fortunately, there are no reports of exploitation in the wild and the replacement kit is not prohibitively expensive,” Parkin said. “At this point, replacement is the obvious option if the user relies on the vulnerable features.”