Anyone using decade-old Cisco Small Business RV110W, RV130, RV130W and RV215W routers might want to make the switch to newer models sooner rather than later. Cisco said it would not provide a fix for a vulnerability found in the routers’ IPSec VPN Server authentication because the routers have reached their end-of-life.
“This vulnerability is due to the improper implementation of the password validation algorithm,” Cisco said in an advisory.
By logging in to the VPN from an affected device with crafted credentials, an attacker could bypass authentication and access the IPSec VPN network. “The attacker may obtain privileges that are the same level as an administrative user, depending on the crafted credentials that are used,” the advisory explained.
Cisco’s decision not to offer a remedy for the flaw is not out of the ordinary. “Generally speaking, vendors do not fix end-of-life vulnerabilities, but this logic usually depends on significance and severity of the vulnerability found–e.g., Microsoft’s patching of BlueKeep,” said Saeed Abbasi, principal security signature engineer at Qualys. “In this case, the vulnerability is severe; however, the devices are extremely old—as such, users should upgrade to the new devices.”
Indeed, that is what Cisco recommended. Users, the company said, “should migrate to Cisco Small Business RV132W, RV160 or RV160W Routers.”
This most recent advisory underscores IT security’s struggles with security issues as technology ages. “Security vulnerabilities in legacy technology—both hardware and software—continue to be a point of contention between vendors and security users,” said Dave Gerry, COO at Bugcrowd.
“Firmware vulnerabilities in older networking equipment can be problematic, especially when the device is no longer in the manufacturer’s supported lineup,” said Mike Parkin, senior technical engineer at Vulcan Cyber.
As a best practice, Gerry said, “technology products should be patched as available and when the product is moved to end-of-life, the technology providers should enable customers to upgrade to newer, more secure devices and software.”
The life cycles of hardware and software are typically short—like dairy products—and come with an expiration date, said Abbasi.
“Part of the role of IT teams is to replace workstations, servers, routers, switches, phones etc. when they reach end-of-life (EOL),” he said. “However, unlike dairy products, there is more tolerance for out-of-date hardware or software. Meaning that it can still be used but without the assurance of protection from the vendor.”
That’s particularly an issue in this case where the routers are still sold elsewhere. “While Cisco has declared these devices end-of-life, they are still available on the used market and there are undoubtedly many of them still in service in the small and mid-sized business (SMB) space,” Parkin said.
And threat actors actively scavenge for opportunities such as this to exploit older equipment. “The majority of today’s malware and viruses target vulnerabilities in old and outdated devices and software,” said Abassi. “When a manufacturer publicly lists an EOL for a product, attackers know that they will no longer be providing updates for bugs and vulnerabilities found.”
They prey “on the knowledge that security teams are stretched thin and often do not have time to maintain perfect hygiene, attackers look to EOL software/hardware as one of the initial vectors to gain a foothold on a business’ network,” he said. “Attackers have even created tools and automated scanning that peruse networks for such vulnerabilities and take advantage of them.”
“Fortunately, there are no reports of this being exploited in the wild and replacement kit is not prohibitively expensive,” Parkin said. “At this point, replacement is the obvious option if the user relies on the vulnerable features.”