UPDATED 22:41 EST / AUGUST 19 2021

SECURITY

Critical vulnerability in older ‘end of life’ Cisco routers to remain unpatched

A critical vulnerability in older Cisco Systems Inc. routers will remain unpatched after the company advised that they have reached end-of-life status.

The vulnerability is in the Universal Plug-and-Play service in Cisco Small Business RV110W, RV130, RV130W and RV214W routers. Rated by Cisco as “critical,” it could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial-of-service condition.

The vulnerability is the result of improper validation of incoming UPnP traffic. An attacker could exploit this vulnerability by sending a crafted UPnP request to an affected device. A successful exploit could allow the attacker to obtain root status on the underlying operating system or cause the device to reload, resulting in a DoS condition.

Although it’s arguably nice that Cisco has at least alerted users, it then went on to say in its Aug. 18 notice that “Cisco has not released software updates that address this vulnerability.” It added that there are no workarounds to address the vulnerability either.

That said, Cisco noted that administrators can disable the affected feature by disabling UPnP on the LAN interface of the device.

“Exploiting this vulnerability in a default configuration requires the threat actor to have access to the internal network,” Jake Williams, co-founder and chief technology officer at incident response firm BreachQuest Inc., told SiliconANGLE. “That can be gained through something as easy as a phishing email. Once inside, the threat actor can use this vulnerability to easily take control of the device using an exploit.”

Noting that the vulnerable devices are widely deployed in smaller business environments, Williams also said some larger organizations also use the devices for remote offices.

“While UPnP is an extremely useful feature for home users, it has no place in business environments,” Williams explained. “Cisco likely leaves the UPnP feature enabled on its small business product line because those environments are less likely to have dedicated support staff who can reconfigure a firewall as needed for a product.”

Yaniv Bar-Dayan, co-founder and chief executive officer of cyber risk remediation company Vulcan Cyber Ltd., said the vulnerabilities should be taken seriously by network security teams. “Exposure should be identified and prioritized based on contextualized business risk,” he said. “Based on this measure of risk, steps to mitigate the threat should be taken to protect the business.”

Image: Cisco

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU