Cisco says that a new authentication bypass flaw affecting multiple small business VPN routers will not be patched because the devices have reached end-of-life (EoL).
This zero-day bug (CVE-2022-20923) is caused by a faulty password validation algorithm that attackers could exploit to log into the VPN on vulnerable devices using what the company describes as "crafted credentials" if the IPSec VPN Server feature is enabled.
"A successful exploit could allow the attacker to bypass authentication and access the IPSec VPN network," Cisco explained in a security advisory issued on Wednesday.
"The attacker may obtain privileges that are the same level as an administrative user, depending on the crafted credentials that are used."
To determine if the IPSec VPN Server is enabled on a router, you have to log in to the web-based management interface and go to VPN > IPSec VPN Server > Setup.
If the "Server Enable" check box is checked, the device is exposed to CVE-2022-20923 exploitation attempts.
Luckily, Cisco says that its Product Security Incident Response Team (PSIRT) found no evidence of publicly available proof-of-concept exploits for this zero-day or any threat actors exploiting the bug in the wild until the advisory was published.
Upgrade to newer router models for protection
Cisco asked customers still using the RV110W, RV130, RV130W, and RV215W routers affected by this security vulnerability to upgrade to newer models still receiving security updates.
According to an end-of-sale announcement on Cisco's website, the last day these RV Series routers were available for order was December 2, 2019.
"Cisco has not released and will not release software updates to address the vulnerability described in this advisory," the company added.
"Customers are encouraged to migrate to Cisco Small Business RV132W, RV160, or RV160W Routers."
CVE-2022-20923 is not the first severe security vulnerability affecting these EoL router models that Cisco left unpatched in recent years.
For instance, in August 2021, the company said it wouldn't release security patches for a critical vulnerability (CVE-2021-34730) in these RV Series routers that enabled unauthenticated attackers to execute arbitrary code remotely as the root user, asking users to migrate to newer models.
In June 2022, Cisco again advised owners to switch to newer models after disclosing a new critical remote code execution (RCE) vulnerability (CVE-2022-20825) that wouldn't get patched.
Comments
ZeroYourHero - 1 year ago
Cisco comes across as being greedy on this.
TsofT - 1 year ago
If a 50-year-old automobile has a worthy flaw the manufacturer is required to fix it.
Big Tech has more money than they can use yet they're still intent on screwing over customers any way possible. Gotta keep those growth numbers up!
Hyper_Sphere - 1 year ago
Time to turn to an open source alternative firmware that gets updates regardless of device age!
Openwrt, ddwrt, and freshtomato don't have weird restrictions and intentional bugs like the Cisco crap does.
If you're a business, you can and should be using openwrt. Hiring a person to set it up shouldn't be a problem, and if you're a small business, just set it up yourself! It's not as hard as people think.
cyberwolfe - 1 year ago
This is why Cisco is a DUMPSTER fire of a company.
Chris Cosgrove - 1 year ago
It is not unreasonable for manufacturers not to provide updates for EOL equipment, but in this case EOL is very short, December 2019 is not even three years past. A five year service life would be more reasonable and customers would feel that they are being ripped off much less strongly.