Cisco this week patched three vulnerabilities in its products and announced that it would leave unpatched a VPN hijacking flaw affecting four small business routers.
These small business routers—the RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router—have reached their End of Life (EoL), and the network provider is also recommending customers to upgrade to devices that are not vulnerable. To give you an idea of the potential age of this kit, Cisco stopped selling the RV110W and RV130 in 2017 and ended support for them that year.
“Cisco has not and will not release any software updates to address the vulnerability described in this advisory,” the vendor wrote in one advisory. “Customers are advised to migrate to Cisco Small Business RV132W, RV160, or RV160W routers.”
It also said that there are no workarounds to mitigate the error.
This vulnerability, tracked as CVE-2022-20923 with a severity rating of medium, if exploited, could allow an unauthenticated remote attacker to bypass authentication checks and freely access the device’s IPSec VPN.
“The attacker can gain privileges equivalent to those of an administrator, depending on the crafted credentials used,” Cisco added. The bug is the result of improper implementation of a password validation algorithm, we’re told.
For those unsure if they are at risk, organizations can determine if the IPSec VPN server feature is enabled on a router by logging into the web-based management interface and selecting VPN > IPSec VPN Server > Setup . If the Enable Server checkbox is checked, the VPN server will be enabled, exposing the device to the vulnerability.
Cisco said its Product Security Incident Response Team (PSIRT) has seen no public disclosures about the vulnerability, nor evidence that a cybercriminal exploited the vulnerability.
fight is on
Vulnerabilities in outdated hardware and software technology are a point of contention between vendors and users, according to Dave Gerry, COO at Bugcrowd.
“As a best practice, technology products should be patched as they become available, and when the product reaches end of life, technology vendors should allow customers to upgrade to newer, more secure devices and software,” Gerry said The registry.
Often the decision depends on the importance and severity of the vulnerability, said Saeed Abbasi, principal security signature at Qualys The registry.
“Hardware and software have a very short life cycle — like dairy products — and have an expiration date,” Abbasi said, adding that part of IT teams’ job is to replace systems when they reach the end of their lifecycle. “However, unlike dairy, there is a greater tolerance for obsolete hardware or software, meaning it can continue to be used, but without the assurance of manufacturer protection.”
Threat groups know that when a vendor publicly lists a product as EoL, there are no more updates or patches for bugs, which is a key reason the majority of modern malware and viruses target vulnerabilities in old and outdated devices and software, he said . Attackers have tools and automated scans that scan networks for such flaws that they can exploit.
Two of the vulnerabilities that Cisco has patched have a severity rating of High.
A flaw in the Nvidia Data Plane Development Kit (MLNX_DPDK), traced as CVE-2022-28199, involves a flaw detection in the DPDK network stack being improperly handled, which could allow a remote attacker to launch a Denial of Service (DoS) to cause. Location.
The products affected by the bug – which Nvidia disclosed August 29 – Catalyst 8000V enterprise and service provider edge software, Adaptive Security Virtual Appliance and Secure Firewall Threat Defense Virtual (formerly FTDv), both security products.
“If an error condition is observed at the device interface, the device may either reload or receive no traffic, resulting in a denial of service (DoS) condition,” Cisco wrote in its advisory.
keep yourself busy
Another high-severity vulnerability (CVE-2022-20696) patched by Cisco affected the binding configuration of Cisco Software-Defined WAN (SD-WAN) containers, which allowed an unauthenticated and neighboring attacker to access the logical VPN0 network would also allow access to the messaging service ports on vulnerable systems.
“This network may be restricted to protect logically or physically adjacent networks, depending on the device deployment configuration,” Cisco wrote in its advisory. “A successful exploit could allow the attacker to view and insert messages into the messaging service, which could lead to configuration changes or a system reboot.”
Cisco encourages organizations with versions 20.3 or earlier and between 20.6 and 20.9 to upgrade to a fixed version.
PSIRT said it has not found any announcements or exploits of either flaw, although the entity is aware that proof-of-concept exploit code for the one in Nvidia’s MLNX_DPDK is available to cybercriminals.
In addition, Cisco has released a patch for a vulnerability (CVE-2022-20863 and rated “Moderate”) in the Webex app that could allow an unauthenticated remote attacker to modify links or other content in the messaging interface, leading to phishing or spoofing attacks could lead.
The error came from the software not handling character rendering correctly. Webex app versions prior to 42.7 should be updated. ®
https://www.theregister.com/2022/09/08/cisco_routers_vulnerability/ Discard those routers, Cisco says, because we won’t be patching them. • The Register