Cisco cancels patches for RCE zero-day vulnerability in VPN routers

Attackers can exploit flaws to restart vulnerable devices and execute code

Vulnerable devices are announced to reach end-of-life, so critical bugs will not get patched.

Cisco published a new security advisory in which new information about recent critical vulnerabilities was shared. It seems that flaws in the Universal Plug-and-Play (UPnP) service of multiple small business VPN routers will not be patched because the devices have reached end-of-life.^[1]

Cisco has not released and will not release software updates to address the vulnerability described in this advisory. The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process

The zero-day bug, traced as CVE-2021-34730 as well as measured along with a 9.8/10 severity for threat score, is actually related to poor verification of inbound UPnP website traffic and was detected by Quentin Kaiser of IoT Inspector Research Lab. This vulnerability could lead hackers to manipulation of reboot-prone units.^[2]

The malicious attackers can exploit flaws to control particular devices or execute arbitrary code remotely without any authentication needed. These commands can be done by the hacker posing as the root user on the operating system. Security researchers warned that at least 8,800 vulnerable systems are open to compromise, and at first, Cisco promised a release of fix patches.^[3]

Customers are advised to choose newer router models

Cisco's official website states that the last day the older RV Series routers were available for the order was December 2, 2019.^[4] As they are no longer available, the company asks customers who are still using these router models to migrate to newer Cisco Small Business RV132W, RV160, or RV160W routers. This can be crucial since attacks are more possible.

The company adds that its Product Security Incident Response Team (PSIRT) is not aware of any public proof-of-concept exploits for this zero-day or any threat actors exploiting the bug in the wild. With Cisco not planning to release any new security updates to address this critical issue, admins are recommended to disable the UPnP service on impacted routers.

In order to know whether the UPnP feature is even enabled on the LAN interface of a device, the user should open the web-based management interface and navigate to Basic Settings > UPnP. If the Disable check box is unchecked, UPnP is enabled on the device.

Zero-day flaws expose companies' security problems

With zero-day Cisco became aware of more security problems like the one in the Adaptive Security Device Manager (ADSM) Launcher. The Cisco AnyConnect Secure Mobility Client VPN program too required further work and attention. Cisco faced security issues last year too with cross-site scripting (XSS) vulnerability.

Zero-day vulnerabilities tend to refer to a software flaw that could be discovered by attackers before the vendor has even become aware of it. Because many companies are unaware, no patch would be existing for such vulnerabilities, making attacks likely to succeed.^[5]

Usually, software developers and cybersecurity experts are looking out for vulnerabilities to patch, but sometimes, hackers spot the flaw before developers do. While it is unfixed, attackers could rewrite and implement a code and plan an attack in order to take advantage of it.