Cisco patched three security vulnerabilities in its products this week, and said it will leave unpatched a VPN-hijacking flaw that affects four small business routers.
Those small-biz routers – the RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router – have reached their end-of-life (EoL) and the networking vendor is recommending customers upgrade to devices that aren’t vulnerable. To give you an idea of the potential age of this kit, Cisco stopped selling the RV110W and RV130 in 2017, and ended support for them this year.
“Cisco has not released and will not release software updates to address the vulnerability described in this advisory,” the supplier wrote in an advisory. “Customers are encouraged to migrate to Cisco Small Business RV132W, RV160, or RV160W Routers.”
It also said that there are no workarounds to mitigate the flaw.
That vulnerability, tracked as CVE-2022-20923 with a severity rating of “medium,” if exploited could enable an unauthenticated remote attacker to bypass authentication checks and freely access the device’s IPSec VPN.
“The attacker may obtain privileges that are the same level as an administrative user, depending on the crafted credentials that are used,” Cisco added. The flaw is the result of the improper implementation of a password validation algorithm, we’re told.