Cisco patched three security vulnerabilities in its products this week and said it would leave unpatched a VPN hacking flaw that affects four small business routers.
These small business routers – the RV110W Wireless N VPN Firewall, RV130 VPN Router, RV130W Wireless Multifunction VPN Router, and RV215W Wireless N VPN Router – have reached their end of life (EoL) and the provider of network is recommending customers to switch to devices that are not vulnerable. To give you an idea of how old this kit might be, Cisco stopped selling the RV110W and RV130 in 2017, and ended support for them this year.
“Cisco has not released and will not release software updates to address the vulnerability described in this advisory,” the vendor wrote in a notice. “Customers are encouraged to migrate to the Cisco Small Business RV132W, RV160, or RV160W Routers.”
He also said there was no workaround to mitigate the flaw.
This vulnerability, identified as CVE-2022-20923 with a severity rating of “Medium”, could, if exploited, allow an unauthenticated remote attacker to bypass authentication controls and gain unrestricted access to the IPSec VPN. ‘device.
“The attacker can gain privileges at the same level as an administrative user, depending on specially crafted credentials that are used,” Cisco added. The flaw is the result of the poor implementation of a password validation algorithm, we are told.
For those unsure if they are at risk, organizations can determine if the IPSec VPN Server feature is enabled on a router by logging into the web management interface and choosing VPN > IPSec VPN Server > Configuration. If the “Server Enable” box is checked, the VPN server is enabled, exposing the device to the vulnerability.
Cisco said its Product Security Incident Response Team (PSIRT) has seen no public disclosures about the vulnerability or any evidence that a cybercriminal exploited the flaw.
The fight is on
Security flaws in legacy hardware and software technologies are a point of contention between vendors and users, according to Dave Gerry, COO at Bugcrowd.
“As a best practice, technology products should be patched as soon as they become available, and when the product is moved to end of life, technology vendors should allow customers to upgrade to newer and better devices and software. secure,” said Gerry. The register.
Often the decision comes down to the size and severity of the vulnerability, said Saeed Abbasi, principal security signing officer at Qualys. The register.
“Hardware and software have a very short life cycle – like dairy products – and have an expiration date,” Abbasi said, adding that part of the job of IT teams is to replace systems when they need them. reach the end of their life. “However, unlike dairy products, outdated hardware or software is more tolerated, meaning it can still be used, but without the assurance of protection from the supplier.”
Threat groups know that when a vendor publicly lists a product as EoL, there will be no more updates or bug fixes, which is one of the main reasons why the majority of malware and modern viruses target vulnerabilities in old and outdated devices and software, he said. Attackers have tools and automated scans that scour networks for such flaws that they can exploit.
Two of the vulnerabilities patched by Cisco carried “high” severity ratings.
A flaw in the Nvidia Data Plane Development Kit (MLNX_DPDK), tracked as CVE-2022-28199, implies that the discovery of errors in the DPDK network stack is poorly handled, which could allow a remote attacker to cause denial of service (DoS) status.
The products affected by the bug — which Nvidia disclosed on Aug. 29 — are the Catalyst 8000V edge software for enterprises and service providers, as well as the Threat Defense Virtual Adaptive Security Virtual Appliance and Secure Firewall ( formerly FTDv), both security products.
“If an error condition is observed on the device interface, the device may either reload or not receive traffic, resulting in a denial of service (DoS) condition,” Cisco wrote in his opinion.
To be busy
Another high-severity vulnerability (CVE-2022-20696) patched by Cisco affected the link configuration of Cisco Software-Defined WAN (SD-WAN) containers that would allow an unauthenticated, adjacent attacker with access to the VPN0 logical network to also access mail service ports on vulnerable systems.
“This network may be restricted to protect adjacent logical or physical networks, depending on the device deployment configuration,” Cisco wrote in its advisory. “A successful exploit could allow the attacker to view and inject messages into the messaging service, which may result in configuration changes or system reload.”
Cisco is asking organizations with versions 20.3 or earlier and between 20.6 and 20.9 to upgrade to a fixed version.
PSIRT said it found no announcements or exploits for either flaw, although the unit is aware that proof-of-concept exploit code is available to cybercriminals for that of Nvidia’s MLNX_DPDK. .
Additionally, Cisco has released a patch for a vulnerability (CVE-2022-20863 and rated Medium) in the Webex application that could allow an unauthenticated remote attacker to modify links or other content within the interface. messaging, which could lead to phishing or spoofing attacks.
The defect came from the fact that the software did not manage character rendering correctly. Webex App versions earlier than 42.7 need to be updated. ®
Dump These Routers, Cisco Says, Because We Won’t Patch Them