Cisco: No Fixes for Small Business Router Vulnerabilities

Multiple vulnerabilities in four Cisco small business routers could allow a remote attacker to bypass authentication or execute arbitrary commands on an affected device.

The security flaw was found in the web-based management interface of Cisco small business RV016, RV042, RV042G and RV082 routers.

Cisco has not released software updates to address the vulnerabilities. In addition, there are no workarounds or temporary fixes.

In its alert, Cisco said this vulnerability is due to improper validation of user input within incoming HTTP packets. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to bypass authentication and gain root access on the underlying operating system.

Software Maintenance Support Ended in January 2021

Cisco sent us the following statement:

“Cisco is committed to transparency and follows a well-established disclosure process to publicly report security vulnerabilities in our products. Products that enter the end-of-life process have defined end dates to receive software maintenance releases or bug fixes. The Cisco small business RV Series routers described in the security advisory have entered the end-of-life process, and software maintenance support has ended as of Jan. 29, 2021. Please refer to the specific security advisory and end-of-life announcement for the latest information.”

Casey Ellis is Bugcrowd‘s founder and CTO. He said “this is critical.”

Bugcrowd’s Casey Ellis

“SMB routers are very widely deployed,” he said. “And in a post COVID-19 hybrid/work-from-home world, it’s not just an SMB problem. Branch offices, centers of excellence (COEs) and even home offices are potential users of the vulnerable product. Financially motivated attackers would be interested because of the raw quantity of these devices that are out there. And nation-states would likely pay attention because of the size and criticality of potential users.”

On top of this, it’s an attractive target from a technical point of view, Ellis said.

“As an attacker, if you manage to get remote code execution (RCE) on core routing or network infrastructure, your ability to move laterally increases exponentially,” he said.

Affected Cisco Small Business Routers Widely Used Despite End of Life

Mike Parkin is senior technical engineer at Vulcan Cyber.

Vulcan Cyber’s Mike Parkin

“The Cisco small business routers affected by these vulnerabilities still see reasonably widespread usage, though they are all officially end of life,” he said. “The challenge will be that these devices are typically found in small businesses with limited resources or used by individuals who may not have the budget to replace them. Unfortunately for them, Cisco is not going to fix this. So anyone who still has one of these in service should strongly consider replacing them with a newer kit sooner rather than later. This applies to any world-facing kit that’s past its end of life.”

John Bambenek is principal threat hunter at Netenrich.

Netenrich’s John Bambaneck

“It’s always a best practice not to allow remote administration of network devices accessible from the open internet,” he said. “However, small business using some MSP/MSSPs have to leave it open for their service providers. That said, this is the worst of all worlds with proof of concept (POC) code publicly available and no mitigations or patches available.”