A critical flaw in older Cisco Systems routers will not be patched after the company advised users that they have reached their end-of-life status.
The vulnerability is present in the Universal Plug-and-Play services in Cisco Small Business RV214W, RV130W, RV130, and RV110W routers. Cisco rated the flaw ‘critical’ and said it could allow an unauthenticated, remote attacker to execute arbitrary code or cause a device to restart without warning, resulting in a DDoS situation.
The flaw is the result of improper validation of incoming UPnP traffic. The attacker can exploit the vulnerability by sending an engineered UPnP request to the affected device.
No workarounds, except for one
A successful exploit could allow the attacker to gain root status on the underlying OS and cause the device to reload, triggering a DoS situation.
To be fair, Cisco alerted users about the flaw. The company then went on to say in its notice that it has not released software updates that address the vulnerability. It also told users that there are no workarounds to address the problem either.
However, Cisco noted that admins can disable the affected feature by disabling UPnP on the LAN interface of the router.
Turns out to be an easy fix
Jake Williams, the co-founder and Chief Technology Officer at BreachQuest (an incident response firm) spoke to SiliconANGLE and said that exploiting the vulnerability in a default configuration requires the hacker to access the internal network.
To get that kind of access requires methods like phishing. Once the hacker is inside, they could easily control the device by deploying an exploit.
Many of the vulnerable devices are distributed among smaller business environments, while some large organizations use them for remote offices. Disabling the feature is the best way to stay safe since there is no significant applicable use for it in business environments.