Cisco Says It Will Not Release Software Update For Critical 0-day In EOL VPN Routers

Cisco announced recently that it will not be releasing software updates for a vulnerability with its Universal Plug-and-Play (UPnP) service in Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers.

The vulnerability allows unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition.

"This vulnerability is due to improper validation of incoming UPnP traffic. An attacker could exploit this vulnerability by sending a crafted UPnP request to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition," Cisco said in a statement. 

"Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability."

The vulnerability only affects the RV Series Routers if they have UPnP configured but the UPnP service is enabled by default on LAN interfaces and disabled by default on WAN interfaces.

The company explained that to figure out if the UPnP feature is enabled on the LAN interface of a device, users should open the web-based management interface and navigate to Basic Settings > UPnP. If the Disable check box is unchecked, UPnP is enabled on the device.

Cisco said that while disabling the affected feature has been proven successful in some test environments, customers should "determine the applicability and effectiveness in their own environment and under their own use conditions." 

They also warned that any workaround or mitigation might harm how their network functions or performs. Cisco urged customers to migrate to the Cisco Small Business RV132W, RV160, or RV160W Routers.

The vulnerability and Cisco's notice caused a minor stir among IT leaders, some of whom said exploiting it requires the threat actor to have access to an internal network, which can be gained easily through a phishing email or other methods. 

Jake Williams, CTO at BreachQuest, added that once inside, a threat actor could use this vulnerability to easily take control of the device using an exploit. 

"The vulnerable devices are widely deployed in smaller business environments. Some larger organizations also use the devices for remote offices. The vulnerability lies in uPnP, which is intended to allow dynamic reconfiguration of firewalls for external services that need to pass traffic inbound from the Internet," Williams told ZDNet. 

"While uPnP is an extremely useful feature for home users, it has no place in business environments. Cisco likely leaves the uPnP feature enabled on its small business product line because those environments are less likely to have dedicated support staff who can reconfigure a firewall as needed for a product. Staff in these environments need everything to 'just work.' In the security space, we must remember that every feature is also additional attack surface waiting to be exploited." 

Williams added that even without the vulnerability, if uPnP is enabled, threat actors inside the environment can use it to open ports on the firewall, allowing in dangerous traffic from the Internet. 

"Because the vulnerable devices are almost exclusively used in small business environments, with few dedicated technical support staff, they are almost never updated," he noted.

Vulcan Cyber CEO Yaniv Bar-Dayan said UPnP is a much-maligned service used in the majority of internet connected devices, estimating that more than 75% of routers have UPnP enabled. 

While Cisco's Product Security Incident Response Team said it was not aware of any malicious use of this vulnerability so far, Bar-Dayan said UPnP has been used by hackers to take control of everything from IP cameras to enterprise network infrastructure. 

Other experts, like nVisium senior application security consultant Zach Varnell, added that it's extremely common for the devices to rarely -- or never -- receive updates. 

"Users tend to want to leave well enough alone and not touch a device that's been working well -- including when it needs important updates. Many times, users also take advantage of plug-and-play functionality, so they do very little or zero configuration changes, leaving the device at its default status and ultimately, vulnerable," Varnell said. 

New Net Technologies global vice president of security research Dirk Schrader added that while UPnP is one of the least known utilities to average consumers, it is used broadly in SOHO networking devices such as DSL or cable router, WLAN devices, even in printers. 

"UPnP is present in almost all home networking devices and is used by device to find other networked devices. It has been targeted before, and one of the big botnets, Mirai, relied heavily on UPnP. Given that the named Cisco devices are placed in the SOHO and SMB segment, the owners are most likely not aware of UPnP and what it does," Schrader said. 

"That and the fact that no workaround or patch are available yet is a quite dangerous combination, as the installed base is certainly not small. Hope can be placed on the fact the -- by default -- UPnP is not enabled on the WAN interfaces of the affected Cisco device, only on the LAN side. As consumers are not likely to change that, for this vulnerability to be exploited, attackers seem to need a different, already established footprint within the LAN. But attackers will check the vulnerability and see what else can be done with it."

RECENT NEWS

Reassessing AI Investments: What The Correction In US Megacap Tech Stocks Signals

The recent correction in US megacap tech stocks, including giants like Nvidia, Tesla, Meta, and Alphabet, has sent rippl... Read more

AI Hype Meets Reality: Assessing The Impact Of Stock Declines On Future Tech Investments

Recent declines in the stock prices of major tech companies such as Nvidia, Tesla, Meta, and Alphabet have highlighted a... Read more

Technology Sector Fuels U.S. Economic Growth In Q2

The technology sector played a pivotal role in accelerating America's economic growth in the second quarter of 2024.The ... Read more

Tech Start-Ups Advised To Guard Against Foreign Investment Risks

The US National Counterintelligence and Security Center (NCSC) has advised American tech start-ups to be wary of foreign... Read more

Global IT Outage Threatens To Cost Insurers Billions

Largest disruption since 2017’s NotPetya malware attack highlights vulnerabilities.A recent global IT outage has cause... Read more

Global IT Outage Disrupts Airlines, Financial Services, And Media Groups

On Friday morning, a major IT outage caused widespread disruption across various sectors, including airlines, financial ... Read more