Cisco’s Small Business RV110W, RV130, RV130W, and RV215W routers contain 68 vulnerabilities. However, the company doesn’t plan on fixing them. Instead, “customers are advised to refer to the end-of-life notices for these products,” the advisory explained.
What is causing the 68 vulnerabilities?
The vulnerabilities in these specific Cisco routers exist because user-supplied input to the web-based management interface is not validated correctly. This could allow attackers to send crafted HTTP requests and carry out arbitrary code execution with root privileges. The vulnerable devices could also be restarted unexpectedly due to the exploit, leading to a denial-of-service condition.
However, attackers could exploit the flaws only with valid admin credentials in place.
The 68 flaws impact the following Cisco Small Business routers:
- RV110W Wireless-N VPN Firewall
- RV130 VPN Router
- RV130W Wireless-N Multifunction VPN Router
- RV215W Wireless-N VPN Router
“The web-based management interface of these devices is available through a local LAN connection, which cannot be disabled, or through the WAN connection if the remote management feature is enabled. By default, the remote management feature is disabled for these devices,” the advisory said.
Admins should determine whether the device configuration is enabled. This can be completed by opening the web-based management interface and choosing Basic Settings > Remote Management. Having the Enable box checked means that remote management is enabled.
No workarounds addressing these vulnerabilities are available, the company added.
Cisco doesn’t plan patching the 68 vulnerabilities
The company hasn’t released any updates for the router flaws and doesn’t plan to do so. The reason for the decision is that the products have entered the end-of-life process. Customers should refer to the end-of-life notices for each router and upgrade to other products.
A complete list of the flaws is available in the official advisory.
In November 2020, Cisco reported a severe issue in its ISO XR software. The CVE-2020-26070 bug could allow unauthenticated, remote hackers to take advantage of Cisco Aggregation Services Routers known as ASR. The flaw was triggered by improper resource allocation that occurs “when an affected device processes network traffic in software switching mode.”