Over 70 Vulnerabilities Will Remain Unpatched in EOL Cisco Routers

Cisco this week announced that it does not plan on addressing tens of vulnerabilities affecting some of its small business routers.

A total of 68 high-severity flaws were identified in Cisco’s Small Business RV110W, RV130, RV130W, and RV215W routers, but the company says patches won’t be released, because these devices have reached end-of-life (EOL). The last day for software maintenance releases and bug fixes was December 1, 2020.

The security bugs exist because user-supplied input to the web-based management interface of the affected router series is not properly validated, thus allowing an attacker to send crafted HTTP requests to exploit these issues.

An attacker able to successfully exploit these vulnerabilities would be able to execute arbitrary code with root privileges on the underlying operating system. A mitigating factor, however, is that valid administrator credentials are required for exploitation.

In an advisory detailing 63 of these flaws, the tech giant explains that an attacker could also abuse them to restart the affected devices, leading to a denial-of-service (DoS) condition.

Cisco notes that the web-based management interface on these devices can be accessed either from the LAN or through a WAN connection, provided that remote management is enabled. However, the remote management feature is disabled by default on these devices.

“Cisco has not released and will not release software updates to address the vulnerabilities described […]. The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process. Customers are advised to refer to the end-of-life notices for these products,” the company underlines.

Eight other vulnerabilities that remain unpatched in the same small business router series have been assessed as medium severity. These bugs could be abused by authenticated, remote attackers to launch cross-site scripting (XSS) attacks or access sensitive, browser-based information.

According to Cisco, there are no workarounds to address these vulnerabilities. However, the company says that it is not aware of public exploits targeting the security bugs.

Cisco this week released patches for tens of vulnerabilities, including two high-severity issues in enterprise software solutions.

The most important of these flaws is CVE-2021-1144, a high-severity bug (CVSS score of 8.8) in Connected Mobile Experiences (CMX) that could be abused by an authenticated attacker to modify the passwords for any user account on the system, including administrator accounts.

The bug exists because authorization checks for changing passwords are not correctly handled, enabling exploitation by an authenticated attacker, even if they do not have administrative privileges. The attacker can abuse the bug through sending a modified HTTP request to a vulnerable device.

Another high-severity flaw was found in the AnyConnect Secure Mobility Client for Windows, affecting the endpoint solution’s Network Access Manager and Web Security Agent components.

Tracked as CVE-2021-1237 (CVSS score of 7.8), the issue could be abused by an authenticated, local attacker for DLL injection. The bug exists because resources that the application loads at runtime are insufficiently validated.

“An attacker could exploit this vulnerability by inserting a configuration file in a specific path in the system which, in turn, causes a malicious DLL file to be loaded when the application starts. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges,” Cisco explains.

The tech giant has released software updates to address both of these vulnerabilities and says that it is not aware of public exploits targeting any of them.

Cisco also published 18 other advisories detailing medium-severity bugs in Webex, ASR 5000 routers, Proximity Desktop for Windows, Enterprise NFV Infrastructure Software (NFVIS), Finesse, Video Surveillance 8000 IP Cameras, Firepower Management Center (FMC), DNA Center, Unified Communications products, CMX API authorizations, and AnyConnect Secure Mobility Client.

Three medium-severity vulnerabilities related to the Snort detection engine were found to impact a broad range of Cisco products, including Integrated Services Routers (ISRs), Cloud Services Router 1000V, Firepower Threat Defense (FTD), Integrated Services Virtual Router (ISRv), and several Meraki product series.

Details on these vulnerabilities can be found in the advisories Cisco published on its security portal.

Related: Cisco Patches Wormable, Zero-Click Vulnerability in Jabber

Related: Cisco Patches Actively Exploited Flaws in Carrier-Grade Routers

Related: Cisco Patches Dozen Vulnerabilities in Industrial Routers