Critical vulnerability in older 'end of life' Cisco routers to remain unpatched
source link: https://siliconangle.com/2021/08/19/critical-vulnerability-older-end-of-life-cisco-routers-remain-unpatched/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
A critical vulnerability in older Cisco Systems Inc. routers will remain unpatched after the company advised that they have reached end-of-life status.
The vulnerability is in the Universal Plug-and-Play service in Cisco Small Business RV110W, RV130, RV130W and RV214W routers. Rated by Cisco as “critical,” it could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial-of-service condition.
The vulnerability is the result of improper validation of incoming UPnP traffic. An attacker could exploit this vulnerability by sending a crafted UPnP request to an affected device. A successful exploit could allow the attacker to obtain root status on the underlying operating system or cause the device to reload, resulting in a DoS condition.
Although it’s arguably nice that Cisco has at least alerted users, it then went on to say in its Aug. 18 notice that “Cisco has not released software updates that address this vulnerability.” It added that there are no workarounds to address the vulnerability either.
That said, Cisco noted that administrators can disable the affected feature by disabling UPnP on the LAN interface of the device.
“Exploiting this vulnerability in a default configuration requires the threat actor to have access to the internal network,” Jake Williams, co-founder and chief technology officer at incident response firm BreachQuest Inc., told SiliconANGLE. “That can be gained through something as easy as a phishing email. Once inside, the threat actor can use this vulnerability to easily take control of the device using an exploit.”
Noting that the vulnerable devices are widely deployed in smaller business environments, Williams also said some larger organizations also use the devices for remote offices.
“While UPnP is an extremely useful feature for home users, it has no place in business environments,” Williams explained. “Cisco likely leaves the UPnP feature enabled on its small business product line because those environments are less likely to have dedicated support staff who can reconfigure a firewall as needed for a product.”
Yaniv Bar-Dayan, co-founder and chief executive officer of cyber risk remediation company Vulcan Cyber Ltd., said the vulnerabilities should be taken seriously by network security teams. “Exposure should be identified and prioritized based on contextualized business risk,” he said. “Based on this measure of risk, steps to mitigate the threat should be taken to protect the business.”
Image: Cisco
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
Join Our Community
We are holding our third cloud startup showcase on Sept. 22. Click here to join the free and open Startup Showcase event.
“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK