Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Privacy

Cisco Says It Won't Fix Zero-Day RCE In End-of-Life VPN Routers (bleepingcomputer.com) 52

An anonymous reader quotes a report from BleepingComputer: Cisco advises owners of end-of-life Small Business RV routers to upgrade to newer models after disclosing a remote code execution vulnerability that will not be patched. The vulnerability is tracked as CVE-2022-20825 and has a CVSS severity rating of 9.8 out of 10.0. According to a Cisco security advisory, the flaw exists due to insufficient user input validation of incoming HTTP packets on the impacted devices. An attacker could exploit it by sending a specially crafted request to the web-based management interface, resulting in command execution with root-level privileges.

The vulnerability impacts four Small Business RV Series models, namely the RV110W Wireless-N VPN Firewall, the RV130 VPN Router, the RV130W Wireless-N Multifunction VPN Router, and the RV215W Wireless-N VPN Router. This vulnerability only affects devices with the web-based remote management interface enabled on WAN connections. [...] Cisco states that they will not be releasing a security update to address CVE-2022-20825 as the devices are no longer supported. Furthermore, there are no mitigations available other than to turn off remote management on the WAN interface, which should be done regardless for better overall security. Users are advised to apply the configuration changes until they migrate to Cisco Small Business RV132W, RV160, or RV160W Routers, which the vendor actively supports.

This discussion has been archived. No new comments can be posted.

Cisco Says It Won't Fix Zero-Day RCE In End-of-Life VPN Routers

Comments Filter:
  • Cisco (Score:2, Interesting)

    by Anonymous Coward

    Back in the 90's I worked at a huge facility that had a lot of high-end gear. I got to talk to a lot of techs, engineers, and peek inside the guts of everything.

    I vowed then that I would never willingly use a piece of their gear. They just gave me the creeps. It was just "that vibe" that's hard to describe. I couldn't trust them.

    Some of their consumer level stuff is OK because it's not actually made by them.

  • Cisco would rather generate tons of E-waste and force customer to buy new hardware (may be not Cisco this time) then just fix the bug. This is nothing new for Cisco...

  • by Reiyuki ( 5800436 ) on Friday June 17, 2022 @07:15PM (#62630056)
    Do you think leaving permanent unpatched flaws in their equipment will decrease brand loyalty?
    • It is obviously a flavor of apathy either way; but given that the affected hardware is all essentially consumer-tier BCM5357/5358 based stuff, rather than hardware that has Cisco in places other than the label, I'd be curious to know if the firmware is actually Cisco and actually being abandoned by them directly; or if it's an ODM rebadge job that they didn't bother to secure the option for long term support on.
      • by Megane ( 129182 )
        Even if it wasn't rebadged third-party firmware, it's been EOL four years (or was it EOS, fuck idiot "journalists" who won't use the right words, I did EOL support once at CIsco, so I know the difference), and even if it was an internal product, its build system will be gone by now, and the entire team that worked on it may have been split up or gone soon afterward. And this is Small Business toy equipment that I doubt they get many support contracts on when it's not EOS.
  • by RightwingNutjob ( 1302813 ) on Friday June 17, 2022 @07:17PM (#62630060)

    Be hard-nosed and militant about maintaining backward compatibility. When you change hardware platforms such that your software won't run on the old shit no more, it should be a rare event and one full of fanfare.

    Yeah the move fast n break things crowd will make fun of your dinosaur ways. But your customers will love you. And pay you.

    IBM is no one's idea of a wishy washy sit in a circle and sing kumbaya kind of organization. But backward compatibility was (maybe still is) sacrosanct at that place. And no one ever got fired for choosing IBM.

  • But their new constant lic'ing and subscription stuff is a complete cluster frack. I would not buy Cisco anything at this point.
    • by MrKaos ( 858439 )

      But their new constant lic'ing and subscription stuff is a complete cluster frack. I would not buy Cisco anything at this point.

      If they won't do Zero days for their old gear then it demonstrates how they will behave with the new gear.

      Cisco has told their customers that an investment in their technology for building infrastructure is not designed for the long term because they will not fix product defects that result in zero day exploits.

      It's holding the customer to ransom essentially.

  • Hm (Score:4, Interesting)

    by backslashdot ( 95548 ) on Friday June 17, 2022 @08:21PM (#62630146)

    Release the source code and let third parties fix it legally then.

    • This is the cost of buying secret code.

      Perfectly good open source pfSense boxes were available when those devices were purchased and somebody decided to get in bed with Cisco instead of being smart.

  • They've always been known for forcing "fork lift" upgrades on older products. Always. Why is it news when they do it again?
  • Buy a replacement from Cisco that comes with an annual subscription. Endless cash for Cisco.

    Sorry, I'll go to a Chinese router before I start paying Cisco a fee every year to use a Cisco small business VPN router.

  • ...buy proprietary gear.
  • by robbak ( 775424 ) on Friday June 17, 2022 @10:58PM (#62630430) Homepage

    Regardless of age, this is covered under the statutory warranty of fitness.

    This vulnerability isn't a wear and tear fault - it was always there. The device was not suitable for the purpose for which it was sold from day 1. If they refuse to fix, they have to refund or replace it.

    • Good luck getting the toothless ACCC to action that. Australia's just a market for last year's equipment that didn't sell in the USA and EU, and the ACCC has neither the power nor the apetite to actually protect consumers by pursuing companies that exist outside of Australia.
      • by thegarbz ( 1787294 ) on Saturday June 18, 2022 @06:54AM (#62630976)

        Good luck getting the toothless ACCC to action that.

        What toothless ACCC? The same one that got Microsoft to fold on warranty claims for red ring defect xboxes the fruits of which have extended to MS extending warranty for that specific issue over the globe?

        I've heard the ACCC called a lot of things, toothless isn't one of them.

        pursuing companies that exist outside of Australia

        Huh? What do you mean outside of Australia? Cisco Systems Australia Pty Ltd is an Australian company locally headquartered in Sydney.

        You seem to not understand there's a very big difference between an "international" company, and a "multi-national" company. The latter is subject directly to all laws and regulatory agencies of the multiple countries in which they are registered.

        Australia's just a market for last year's equipment that didn't sell in the USA and EU

        Your second post? Did you make your previous one just after registering your account in the 90s? Have you been in a 30 year coma? That would explain why you have a 1990s era view of the Australian market. Sorry kiddo, the exact same product is sold in Australia as Europe at the same time. The world has moved on, you should try and keep up.

  • You'd better buy a Huawei router. At least then you'll know it doesn't have backdoors for any agency, not US, not Chinese. And you know the americans have a hard time hacking it, that's the real reason why the US is blacklisting huawei and trying to get other countries to ditch them.
    • Well, if you can geoblock out Chinese IP addresses, this may actually be something to consider...

      • by Megane ( 129182 )
        I was not happy the day that I found out that APAC mixed up all their ipv4 allocations such that you can't just ban a few /12 blocks for only China. They're all mixed in with Japan and Australia and the rest. If you want to geoblock just China, you need a detailed list of allocations. (The first thing I'd do is block port 22 for all the spam password guessing for root, when most ssh blocks root by default.)
        • I'm in the fortunate situation that I only need to whitelist 3 countries. None of them in the Asian region.

  • by thegarbz ( 1787294 ) on Saturday June 18, 2022 @02:57AM (#62630696)

    Cisco runs new marketing campaign promoting Juniper and other competitors.

  • by schwit1 ( 797399 ) on Saturday June 18, 2022 @04:05AM (#62630800)

    How long after it's out of support is Cisco supposed to continue patching? The last software update for the RV110W was 4+ years ago.

    It doesn't need to be patched
    "This vulnerability only affects devices with the web-based remote management interface enabled on WAN connections."
    It's good security practice to disable remote management via a WAN interface.

    • How long after it's out of support is Cisco supposed to continue patching?

      For as long as vehicle manufacturers are required to recall unsafe products.

      • by ebvwfbw ( 864834 )

        How long after it's out of support is Cisco supposed to continue patching?

        For as long as vehicle manufacturers are required to recall unsafe products.

        LOL, Really? They have nothing to worry about then. For a vehicle manufacturer to be required to recall something people have to have died first. No fluke. You'll see voluntary recalls. A required one is rare.

  • If you are using Cisco hardware, it is because you are okay with being compromised

  • by williamyf ( 227051 ) on Saturday June 18, 2022 @07:50AM (#62631026)

    I worked in a big (at least for my country) Telco from 1998 'til 2004, and this is standard MO for all the big-uns. CISCO, Compaq (pre-HP merger), HP(E), Nokia, Sun, Tecnomen...

    The Lifespan/Support for the equipment (Hardware), is fenomenal, ten years, sometimes more. But they will let you know about end of sales, end of "new features"/New Software versions, and finally end of life (no bugs/security patches of any kind).

    Also, if the equipment is in the last stages of its (decades) life, they will not even entertain the posibility of making small upgrades (like say, changing 486DX2-66 processors for 486DX4-133 in order to run the new SW) to prolong the usefull life of equipment, instead offering you only a forklift upgrade (risking that you replace them with someone else)

    If you are unfortunate to buy equipent near the end of its lifecycle, tough luck.

    Things are so extreme that, if a piece of equipment enters end of life today, and you request a firmware from 2 years ago (already developed and all), the manufacturer will say no. You better has cultivated some good relationships with the support personnel, management, and your colleagues in other firms, to get said firmware through "backdoor" channels.

    So, this is not strange AT ALL. Is simply that the SOHO/SMB crowd is not used to this...

  • by laughingskeptic ( 1004414 ) on Saturday June 18, 2022 @10:35AM (#62631334)
    I can find these being sold today on secondary on-line markets frequented by IT shops. Big companies give their old electronics to "E-cyclers" and they turn around and put the out-of-support equipment up for sale cheap. Non-profits and local governments then buy and deploy this stuff.
    • I can find these being sold today on secondary on-line markets frequented by IT shops. Big companies give their old electronics to "E-cyclers" and they turn around and put the out-of-support equipment up for sale cheap. Non-profits and local governments then buy and deploy this stuff.

      And this is CISCO's or HPE's or ORACLE's fault how exactly?

      If you are concerned about second hand onlyne markets, then ask them for patches...

  • If you've worked at a large company, a product this old, they probably couldn't regenerate a compiled firmware without bringing in a dedicated team of archeologists to dig through internal repos, if they could even find older build machines. It's amazing how fast code goes stale in a moving target environment. Of course, the solution is to release the firmware as source code and blobs so old hardware can be maintained instead of filling landfills.

  • by Asynchronously ( 7341348 ) on Saturday June 18, 2022 @02:12PM (#62631850)

    All of Cisco's product lines are too expensive and inferior to competitors.

    Arista > Nexus/Catalyst
    Palo Alto Networks > Firepower
    Nutanix > UCS
    Aruba WiFi > Cisco WiFi
    Forescout > Cisco ICE

    You get the idea. There's no reason to buy Cisco.

news: gotcha

Working...