Cisco advises owners of end-of-life Small Business RV routers to upgrade to newer models after disclosing a remote code execution vulnerability that will not be patched.
The vulnerability is tracked as CVE-2022-20825 and has a CVSS severity rating of 9.8 out of 10.0.
According to a Cisco security advisory, the flaw exists due to insufficient user input validation of incoming HTTP packets on the impacted devices.
An attacker could exploit it by sending a specially crafted request to the web-based management interface, resulting in command execution with root-level privileges.
Impact and remediation
The vulnerability impacts four Small Business RV Series models, namely the RV110W Wireless-N VPN Firewall, the RV130 VPN Router, the RV130W Wireless-N Multifunction VPN Router, and the RV215W Wireless-N VPN Router.
This vulnerability only affects devices with the web-based remote management interface enabled on WAN connections.
While the remote management feature is not enabled in the default configuration, brief searches using Shodan found exposed devices.
To determine whether remote management is enabled, admins should log in to the web-based management interface, navigate to “Basic Settings > Remote Management,” and verify the state of the relevant check box.
Cisco states that they will not be releasing a security update to address CVE-2022-20825 as the devices are no longer supported. Furthermore, there are no mitigations available other than to turn off remote management on the WAN interface, which should be done regardless for better overall security.
Users are advised to apply the configuration changes until they migrate to Cisco Small Business RV132W, RV160, or RV160W Routers, which the vendor actively supports.
Cisco warned last year that admins should upgrade to newer models after disclosing that they would not fix a critical vulnerability in Universal Plug-and-Play (UPnP) service.
This week, Cisco patched a critical vulnerability in Cisco Secure Email that could allow attackers to bypass authentication and login into the web management interface of the Cisco email gateway.
Comments
ThomasMann - 1 year ago
"..has a CVSS severity rating of 9.8 out of 10.0."
"....Cisco advises owners of end-of-life Small Business RV routers to upgrade to newer models"
"We are in business not in service, do you have any idea what it would cost us to fíx this snafu?"
Buy new stuff, buy more stuff.
Listen to Georg Carlin about "stuff"...
cyberwolfe - 1 year ago
Cisco and Linksys have always been a dumpster fire company when it comes to consumer post-sales support. Even if the affected products were a month or so before EOL, they would probably advise you to just disable web based remote management. Why? Because they can't be bothered servicing something that would take them a year to write into a firmware update. Their router software is some of the most terrible code I've ever come across.
ConjurerOfWorlds - 1 year ago
According to the Cisco site, these devices were released in 2008. If your business model requires you to keep IT equipment in service for over 14 years, it's probably time to rethink that plan.
ThomasMann - 1 year ago
Except for their security, which has been as rotten as anything else these companies force their paying customers to use, older devices are a lot more useful than the "new" "updated" "improved" versions. Something we see EVERY day when we use garbage like firefox...
These are "Small Business RV routers", so your advice is imply stupid. But so are people who hand over their own business on solver platter to gangsters in the huge digital coroprations.
Up to a certain size of business any one not iusiong their own servers and storage and not a "cloud" is an idiot, who sooner or later will pay the price...
ConjurerOfWorlds - 1 year ago
Wow, sounds like IT is NOT the field for you. You might want to try something else, I think you'll be a lot happier.
ThomasMann - 1 year ago
You are a funny man and a true representative of your kind. I am reading this blog, because I want my understanding be up to reality, as far as possible. Nothing a ConjurerOfWorlds could possibly be interested in....
You really think I am wasting my time in this field? I also read the New York Times, Der Spiegel, and the Asahi Shimbum, to know what the idots that run the planet at any given time, will be up to next....