A critical vulnerability in Cisco Small Business Routers will not be patched by the networking equipment giant, since the devices reached end-of-life in 2019.
Tracked as CVE-2021-34730 (CVSS score: 9.8), the issue resides in the routers’ Universal Plug-and-Play (UPnP) service, enabling an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition.
The vulnerability, which the company said is due to improper validation of incoming UPnP traffic, could be abused to send a specially-crafted UPnP request to an affected device, resulting in remote code execution as the root user on the underlying operating system.
“Cisco has not released and will not release software updates to address the vulnerability,” the company noted in an advisory published Wednesday. “The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process. Customers are encouraged to migrate to the Cisco Small Business RV132W, RV160, or RV160W Routers.”
The issue impacts the following products —
- RV110W Wireless-N VPN Firewalls
- RV130 VPN Routers
- RV130W Wireless-N Multifunction VPN Routers
- RV215W Wireless-N VPN Routers
In the absence of a patch, Cisco recommends customers to disable UPnP on the LAN interface. Quentin Kaiser of IoT Inspector Research Lab has been credited with reporting the vulnerability.
“All too often, after a system or service is replaced, the legacy system or service is left running ‘just in case’ it is needed again. The problem lies in the fact that — like in the case of this vulnerability in the Universal Plug-and-Play service — the legacy system or service is usually not kept up to date with security updates or configurations,” said Dean Ferrando, systems engineer manager (EMEA) at Tripwire.
“This makes it an excellent target for bad actors, which is why organizations that are still using these old VPN routers should immediately take actions to update their devices. This should be part of an overall effort to harden systems across the entire attack surface, which helps to safeguard the integrity of digital assets and protect against vulnerabilities and common security threats which may be leveraged as entry points,” Ferrando added.
CVE-2021-34730 marks the second time the company has followed the approach of not releasing fixes for end-of-life routers since the start of the year. Earlier this April, Cisco urged users to upgrade their routers as a countermeasure to resolve a similar remote code execution bug (CVE-2021-1459) affecting RV110W VPN firewall and Small Business RV130, RV130W, and RV215W routers.
In addition, Cisco has also issued an alert for a critical BadAlloc flaw impacting BlackBerry QNX Real-Time Operating System (RTOS) that came to light earlier this week, stating that the company is “investigating its product line to determine which products and services may be affected by this vulnerability.”