Cisco has said it will not roll out security patches for a critical vulnerability in the Universal Plug-and-Play (UPnP) service of Small Business RV110W, RV130, RV130W, and RV215W Routers and is advising customers to migrate to more modern small business routers.
Last week, Cisco said a critical vulnerability was discovered in the plug-and-play service of some legacy small business routers that recently entered end of life. Considering the routers, namely Small Business RV110W, RV130, RV130W, and RV215W, are legacy products, Cisco says customers must either disable the plug-and-play functionality or migrate to newer routers sold by the company.
The critical vulnerability, according to Cisco, enables an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition. It arises due to improper validation of incoming UPnP traffic and can be exploited by an attacker by sending a crafted UPnP request to an affected device.
Tne software solutions giant said it will not roll out any fixes for the vulnerability, nor does it recommend any workarounds to mitigate the flaw, indicating that small businesses now have little choice but to migrate to newer routers. They can, however, keep their networks secure by disabling the plug-and-play service which is enabled by default on LAN interfaces.
“Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
“The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process. Customers are encouraged to migrate to the Cisco Small Business RV132W, RV160, or RV160W Routers,” Cisco added.
Commenting on the dangers of keeping legacy devices within networks, Dean Ferrando, lead systems engineer (EMEA) at Tripwire, says that after a system or service is replaced, the legacy system or service is often left running “just in case” it is needed again. However, the downside of this practice is that the legacy system or service is usually not kept up to date with security updates or configurations.
“This makes it an excellent target for bad actors, which is why organisations that are still using these old VPN routers should immediately take action to update their devices.
“This should be part of an overall effort to harden systems across the entire attack surface, which helps to safeguard the integrity of digital assets and protect against vulnerabilities and common security threats which may be leveraged as entry points,” he adds.