Cisco Says It Won't Fix Zero-Day RCE In End-of-Life VPN Routers

An anonymous reader quotes a report from BleepingComputer: Cisco advises owners of end-of-life Small Business RV routers to upgrade to newer models after disclosing a remote code execution vulnerability that will not be patched. The vulnerability is tracked as CVE-2022-20825 and has a CVSS severity rating of 9.8 out of 10.0. According to a Cisco security advisory, the flaw exists due to insufficient user input validation of incoming HTTP packets on the impacted devices. An attacker could exploit it by sending a specially crafted request to the web-based management interface, resulting in command execution with root-level privileges.

The vulnerability impacts four Small Business RV Series models, namely the RV110W Wireless-N VPN Firewall, the RV130 VPN Router, the RV130W Wireless-N Multifunction VPN Router, and the RV215W Wireless-N VPN Router. This vulnerability only affects devices with the web-based remote management interface enabled on WAN connections. [...] Cisco states that they will not be releasing a security update to address CVE-2022-20825 as the devices are no longer supported. Furthermore, there are no mitigations available other than to turn off remote management on the WAN interface, which should be done regardless for better overall security. Users are advised to apply the configuration changes until they migrate to Cisco Small Business RV132W, RV160, or RV160W Routers, which the vendor actively supports.

Cisco

[Anonymous Coward]

Back in the 90's I worked at a huge facility that had a lot of high-end gear. I got to talk to a lot of techs, engineers, and peek inside the guts of everything.

I vowed then that I would never willingly use a piece of their gear. They just gave me the creeps. It was just "that vibe" that's hard to describe. I couldn't trust them.

Some of their consumer level stuff is OK because it's not actually made by them.

Re:

[PetiePooo]

The "Small Business" line is just made up of toys. If you want security, you have to go Enterprise grade, and follow the licensing and EOL timeline that goes with it.

I call BS. I routinely deploy 30+ core Linux systems with 128GB RAM and multiple TB of storage into client data centers. I often deploy a little consumer-grade dual-100Mb travel router along with them that runs a purpose-built OpenWRT firmware. It calls home via WireGuard and gives me secure access to the big system's lights-out management port. I bought a lot of 10 of them for less than $30/ea including a UL-listed USB power adapter and all cables. I couldn't even find an enterprise version, but if I

Re: Cisco

[nullchar]

The world needs a company that does this,

Re:

[arglebargle_xiv]

It's OK, they won't fix 0days in Enterprise-grade stuff either, so may as well stick with the cheaper stuff.

Or better yet just avoid the whole shonky outfit like the plague and buy from someone else.

Just a bunch of E-Waste

[Andrew Lindh]

Cisco would rather generate tons of E-waste and force customer to buy new hardware (may be not Cisco this time) then just fix the bug. This is nothing new for Cisco...

Re: Just a bunch of E-Waste

[Z00L00K]

It's still a case of wasteful handling, especially in these days where it can take 100+ days to get a new device.
The hardware that Cisco provides is reliable, it's the business model that is the issue. Even more so with the 'cloud driven' equipment, that could be suicide for your business if you get because one day it might no longer work.

Re:

[Opportunist]

What good is an appliance that lasts forever when the manufacturer doesn't provide updates past 2 years? It can as well fail in 2 years.

If your selling point is that your systems last long, either support them or be prepared to be called out for deceptive marketing.

Re:

[aaarrrgggh]

Sure... but is the hardware still otherwise fit for the task? Is there some inherent hardware issue that makes them unsupportable?

That was what always irked me about Cisco. Things go EoL, but the (more expensive) replacement doesn't offer any improved functionality. Just one of those things to move me more into the "defense in depth" club I guess.

Re:

[Opportunist]

What irks me the most is that the old models are often even (almost) binary compatible with the new ones. I had more than one case where all I had to do to the firmware or the flash tool was to, erhm, "convince" it to be installed in the correct machine to install and run.

Re:

[fuzzyfuzzyfungus]

The RV110W is only 10/100 on the wire, which is increasingly likely to be a liability; but that one aside what qualifies as 'the world moves on' for 802.11n/GbE gear aimed at not particularly intense uses?

802.11AC is certainly better, especially in congested environments; but unless the RF context is particularly nasty or throughput matters more than using a cheap all-in-one device as an AP suggests there's nothing particularly archaic there; except the software flaws that Cisco is declining to fix.

Re:

[WaffleMonster]

The device was end of life in 2018. The world moves on in 4 years time. If e-waste is the issue in your life then stop using computers.

I've got a better idea - stop using Cisco.

Re: Just a bunch of E-Waste

[NagrothAgain]

It's not just Cisco, all the vendors have EoL dates. The problem with Cisco is most of their SOHO products are some trash they bought and rebranded.

Re:

[Computershack]

The device was end of life in 2018. The world moves on in 4 years time. If e-waste is the issue in your life then stop using computers.

So what if it was? if it's continuing to function and meet needs it doesn't matter does it? And we're talking about network hardware, the world hasn't really moved on much at all over the last 4 years in that respect for 99.9% of network installations. There's not been some magical new "must have" invention. The only thing that's got bumped up are specs in order to run the latest bloated management interface they've decided to put on the things to try to distinguish them from their competitors that does shi

Re:

[dgatwood]

The device was end of life in 2018. The world moves on in 4 years time. If e-waste is the issue in your life then stop using computers.

Has something significant changed recently in the world of networking that would make an older router less than fully useful today? The last significant change I'm aware of was gigabit Ethernet back in 1998, which was 24 years ago. I'm ignoring 10-gigabit, because it is almost never worth doing except at the LAN level; you'll never have that fast an upstream pipe. Most people don't even have 100 megabit pipes yet.

This isn't a cell phone. It's a router. Realistically, it should not need any upgrades for

Re:

[Asynchronously]

Plenty of people have higher than 1G internet pipes.

Re:

[Opportunist]

You gotta check the fine print, they didn't say which planet.

I bet it's Uranus. For ... obvious reasons.

Planned Obsolescence

[Reiyuki]

Do you think leaving permanent unpatched flaws in their equipment will decrease brand loyalty?

Re:

[fuzzyfuzzyfungus]

It is obviously a flavor of apathy either way; but given that the affected hardware is all essentially consumer-tier BCM5357/5358 based stuff, rather than hardware that has Cisco in places other than the label, I'd be curious to know if the firmware is actually Cisco and actually being abandoned by them directly; or if it's an ODM rebadge job that they didn't bother to secure the option for long term support on.

Re:

[Megane]

Even if it wasn't rebadged third-party firmware, it's been EOL four years (or was it EOS, fuck idiot "journalists" who won't use the right words, I did EOL support once at CIsco, so I know the difference), and even if it was an internal product, its build system will be gone by now, and the entire team that worked on it may have been split up or gone soon afterward. And this is Small Business toy equipment that I doubt they get many support contracts on when it's not EOS.

Here's how to build goodwill with customers

[RightwingNutjob]

Be hard-nosed and militant about maintaining backward compatibility. When you change hardware platforms such that your software won't run on the old shit no more, it should be a rare event and one full of fanfare.

Yeah the move fast n break things crowd will make fun of your dinosaur ways. But your customers will love you. And pay you.

IBM is no one's idea of a wishy washy sit in a circle and sing kumbaya kind of organization. But backward compatibility was (maybe still is) sacrosanct at that place. And no one ever got fired for choosing IBM.

Didn't mind Cisco before.

[oldgraybeard]

But their new constant lic'ing and subscription stuff is a complete cluster frack. I would not buy Cisco anything at this point.

Re:

[MrKaos]

But their new constant lic'ing and subscription stuff is a complete cluster frack. I would not buy Cisco anything at this point.

If they won't do Zero days for their old gear then it demonstrates how they will behave with the new gear.

Cisco has told their customers that an investment in their technology for building infrastructure is not designed for the long term because they will not fix product defects that result in zero day exploits.

It's holding the customer to ransom essentially.

Hm

[backslashdot]

Release the source code and let third parties fix it legally then.

Re:

[drinkypoo]

That, sir, is why we need a law that abandoned products' sources are released with all tools necessary to produce a working binary/image/etc.

We are overusing resources and the biosphere cannot sustain our throwaway culture. Anything that perpetuates this reality is literally an attack on all people.

Re:

[bill_mcgonigle]

This is the cost of buying secret code.

Perfectly good open source pfSense boxes were available when those devices were purchased and somebody decided to get in bed with Cisco instead of being smart.

It's Cisco...

[msauve]

They've always been known for forcing "fork lift" upgrades on older products. Always. Why is it news when they do it again?

Re:

[aaarrrgggh]

Because they manage to rope in a new bunch of suckers each time...

Upgrade options

[ebonum]

Buy a replacement from Cisco that comes with an annual subscription. Endless cash for Cisco.

Sorry, I'll go to a Chinese router before I start paying Cisco a fee every year to use a Cisco small business VPN router.

Only idiots...

[NicknameUnavailable]

...buy proprietary gear.

In Australia, that's cause for a refund.

[robbak]

Regardless of age, this is covered under the statutory warranty of fitness.

This vulnerability isn't a wear and tear fault - it was always there. The device was not suitable for the purpose for which it was sold from day 1. If they refuse to fix, they have to refund or replace it.

Re:

[scdeimos]

Good luck getting the toothless ACCC to action that. Australia's just a market for last year's equipment that didn't sell in the USA and EU, and the ACCC has neither the power nor the apetite to actually protect consumers by pursuing companies that exist outside of Australia.

Re:In Australia, that's cause for a refund.

[thegarbz]

Good luck getting the toothless ACCC to action that.

What toothless ACCC? The same one that got Microsoft to fold on warranty claims for red ring defect xboxes the fruits of which have extended to MS extending warranty for that specific issue over the globe?

I've heard the ACCC called a lot of things, toothless isn't one of them.

pursuing companies that exist outside of Australia

Huh? What do you mean outside of Australia? Cisco Systems Australia Pty Ltd is an Australian company locally headquartered in Sydney.

You seem to not understand there's a very big difference between an "international" company, and a "multi-national" company. The latter is subject directly to all laws and regulatory agencies of the multiple countries in which they are registered.

Australia's just a market for last year's equipment that didn't sell in the USA and EU

Your second post? Did you make your previous one just after registering your account in the 90s? Have you been in a 30 year coma? That would explain why you have a 1990s era view of the Australian market. Sorry kiddo, the exact same product is sold in Australia as Europe at the same time. The world has moved on, you should try and keep up.

Better buy Huawei

[SuperDre]

You'd better buy a Huawei router. At least then you'll know it doesn't have backdoors for any agency, not US, not Chinese. And you know the americans have a hard time hacking it, that's the real reason why the US is blacklisting huawei and trying to get other countries to ditch them.

Re:

[Opportunist]

Well, if you can geoblock out Chinese IP addresses, this may actually be something to consider...

Re:

[Megane]

I was not happy the day that I found out that APAC mixed up all their ipv4 allocations such that you can't just ban a few /12 blocks for only China. They're all mixed in with Japan and Australia and the rest. If you want to geoblock just China, you need a detailed list of allocations. (The first thing I'd do is block port 22 for all the spam password guessing for root, when most ssh blocks root by default.)

Re:

[Opportunist]

I'm in the fortunate situation that I only need to whitelist 3 countries. None of them in the Asian region.

Alternate headline:

[thegarbz]

Cisco runs new marketing campaign promoting Juniper and other competitors.

Not patching is a no-brainer

[schwit1]

How long after it's out of support is Cisco supposed to continue patching? The last software update for the RV110W was 4+ years ago.

It doesn't need to be patched
"This vulnerability only affects devices with the web-based remote management interface enabled on WAN connections."
It's good security practice to disable remote management via a WAN interface.

Re:

[WaffleMonster]

How long after it's out of support is Cisco supposed to continue patching?

For as long as vehicle manufacturers are required to recall unsafe products.

Re:

[ebvwfbw]

How long after it's out of support is Cisco supposed to continue patching?

For as long as vehicle manufacturers are required to recall unsafe products.

LOL, Really? They have nothing to worry about then. For a vehicle manufacturer to be required to recall something people have to have died first. No fluke. You'll see voluntary recalls. A required one is rare.

Of course not

[Carewolf]

If you are using Cisco hardware, it is because you are okay with being compromised

Standard MO in enterprise

[williamyf]

I worked in a big (at least for my country) Telco from 1998 'til 2004, and this is standard MO for all the big-uns. CISCO, Compaq (pre-HP merger), HP(E), Nokia, Sun, Tecnomen...

The Lifespan/Support for the equipment (Hardware), is fenomenal, ten years, sometimes more. But they will let you know about end of sales, end of "new features"/New Software versions, and finally end of life (no bugs/security patches of any kind).

Also, if the equipment is in the last stages of its (decades) life, they will not even entertain the posibility of making small upgrades (like say, changing 486DX2-66 processors for 486DX4-133 in order to run the new SW) to prolong the usefull life of equipment, instead offering you only a forklift upgrade (risking that you replace them with someone else)

If you are unfortunate to buy equipent near the end of its lifecycle, tough luck.

Things are so extreme that, if a piece of equipment enters end of life today, and you request a firmware from 2 years ago (already developed and all), the manufacturer will say no. You better has cultivated some good relationships with the support personnel, management, and your colleagues in other firms, to get said firmware through "backdoor" channels.

So, this is not strange AT ALL. Is simply that the SOHO/SMB crowd is not used to this...

Still for sale, still being deployed

[laughingskeptic]

I can find these being sold today on secondary on-line markets frequented by IT shops. Big companies give their old electronics to "E-cyclers" and they turn around and put the out-of-support equipment up for sale cheap. Non-profits and local governments then buy and deploy this stuff.

Re:

[williamyf]

I can find these being sold today on secondary on-line markets frequented by IT shops. Big companies give their old electronics to "E-cyclers" and they turn around and put the out-of-support equipment up for sale cheap. Non-profits and local governments then buy and deploy this stuff.

And this is CISCO's or HPE's or ORACLE's fault how exactly?

If you are concerned about second hand onlyne markets, then ask them for patches...

Hate to say this, but

[xorbe]

If you've worked at a large company, a product this old, they probably couldn't regenerate a compiled firmware without bringing in a dedicated team of archeologists to dig through internal repos, if they could even find older build machines. It's amazing how fast code goes stale in a moving target environment. Of course, the solution is to release the firmware as source code and blobs so old hardware can be maintained instead of filling landfills.

Cisco is irrelevant.

[Asynchronously]

All of Cisco's product lines are too expensive and inferior to competitors.

Arista > Nexus/Catalyst
Palo Alto Networks > Firepower
Nutanix > UCS
Aruba WiFi > Cisco WiFi
Forescout > Cisco ICE

You get the idea. There's no reason to buy Cisco.