back to article If you're using older, vulnerable Cisco small biz routers, throw them out

If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great. First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its …

  1. 2+2=5 Silver badge
    Joke

    Specific input

    > A remote user could exploit the flaw "by entering a specific input on the login page of the affected device,"

    "Open sesame"?

    1. tip pc Silver badge

      Re: Specific input

      Username:: admin

      Password:: nsa-letmein

  2. HildyJ Silver badge
    FAIL

    Amazed

    That anyone still trusts Cisco anymore.

    Throw the old routers out, by all means, but replace them with those from a less holey competitor.

    1. Anonymous Coward
      Anonymous Coward

      Re: Amazed

      What would you recommend?

      1. Anonymous Coward
        Anonymous Coward

        Re: Amazed

        A BSD box and a couple of network cards.

        Sadly, not available pre-packaged for a reasonable price. There is the tier of OpenWRT soho landfill material, Dinosaurs from the 90's like cisco, and overpriced but nice cloud stuff that stops working when the internet goes down (which is why cisco bought Meraki).

        Or build it yourself and forget about it until your ancestors realize it was walled in 15 years ago and not rebooted since and no-one noticed.

        1. TimMaher Silver badge
          Windows

          Re: Ancestors

          Mine are all dead.

        2. CAPS LOCK

          'Not available pre-packaged...'

          ...https://en.wikipedia.org/wiki/OPNsense

      2. Duncan Macdonald Silver badge

        Re: Amazed

        Huawei

        If both Cisco and the US government hate them then they must be better than Cisco !!!

        1. VoiceOfTruth

          Re: Amazed

          The term "National Security" is very nebulous. It doesn't just mean some other country's equipment has back doors, it means it doesn't have our back doors.

      3. mIVQU#~(p,

        Re: Amazed

        Microtik

    2. aaaa

      Re: Amazed

      I've documented in comments on past articles my own frustration with using Cisco for small business and particularly with them ceasing software updates for vulnerabilities when you have a support contract and well before the EOL date.

      My current strategy is to migrate to small appliances designed to run open source Pfsense or Netgate/Pfsense+

      Anyone here use these?

      edit: I'm not using any of the particular cisco devices mentioned in this article, but ASA's and Branch routers

      1. katrinab Silver badge

        Re: Amazed

        I use OpnSense, which is a fork of pfSense.

        Both are good, OpenSense works better for my particular use case.

      2. Anonymous Coward
        Anonymous Coward

        Re: Amazed

        yes they are a great alternative

      3. Version 1.0 Silver badge

        Re: Amazed

        Essentially, if you are going to have a connection to the Internet then you need a separate firewall - lots of machines are safe when you write rules that only allow their specific access ports. It needs to be a separate hardware firewall like pfSense etc ...

        "For their next act, they'll no doubt be buying a firewall running under NT, which makes about as much sense as building a prison out of meringue." -- Tanuki on ASR about 30 years ago ... getting hacked is nothing new these days.

    3. This post has been deleted by its author

  3. VoiceOfTruth

    Cisco's Dictionary

    Oxymoron

    -> an authentication bypass vulnerability in the virtual and hardware versions of Cisco Secure Email and Web Manager, and the Cisco Email Security Appliance

  4. Ball boy

    Throw away 3 year old, core, infrastructure?

    Hold on: if I bought a new car and a major flaw was discovered three years later then I could reasonably expect it to be recalled by the makers and have this addressed. I don't expect three year old core hardware to be treated as disposable by my network vendor.

    A cynic could argue Cisco is making a strong case for renting this kind of hardware in the future rather than buying it so the end user isn't left hanging out to dry. A realist might see this as a strong case to only buy from vendors who offer more reasonable support for their core equipment.

    1. aaaa

      Re: Throw away 3 year old, core, infrastructure?

      suggestions? I've struggled to find anyone so I'm looking at small appliances designed to run open source Pfsense or Netgate/Pfsense+

      edit: I'm not using any of these particular devices, but ASA's and Branch routers, and I've had the same problem with Cisco refusing to patch critical security vulnerabilities despite us having support/TAC and the model not being anywhere near EOL

      1. fnusnu

        Re: Throw away 3 year old, core, infrastructure?

        Try Mikrotik: minimum 5 years of support

        https://mikrotik.com/

      2. Anonymous Coward
        Anonymous Coward

        Re: Throw away 3 year old, core, infrastructure?

        If you want a designed-for appliance, with vendor support, you're on the right track with Netgate & pfSense.

        If you're confident in your DIY chops, I'd say you're still on the right track with pfSense, but you have to be willing to invest a little effort in figuring out your hardware config.

    2. Terje

      Re: Throw away 3 year old, core, infrastructure?

      While I wholeheartedly agree that not supporting 3 year old kit is unacceptable, it seems that the kit in question is of the cheap and cheerful variety with a price tag that is more like that of a cheap home router then anything else.

      1. Ball boy

        Re: Throw away 3 year old, core, infrastructure?

        These may well be at the cheap and cheerful end of Cisco's range but they were sold as suitable for business use. As such, they should have business class support.

        They might only be supporting a satellite office of three/four people but that's as much of (if not more) a security risk than leaving a hole in corporate HQ.

        What next? Throw the medium level switches and routers to the wolves because they couldn't be bothered to patch them? Perhaps Cisco should define how many people need to be connected via their hardware before they can be classed as 'business users' so admins can do a better risk analysis.

        1. Snake Silver badge

          Re: cheap and cheerful for business use

          The were "junk" rated well before this occurred. The RV110 not only didn't have any firmware updates for YEARS prior to this event, they were 10/100 Ethernet, meaning that if you wanted modern business-level broadband...tough luck, the router would be a hardware limiter.

          Their only saving grace was VPN endpoint, which was indeed a business-level unusual feature for a modest priced unit at the time of their introduction. Not any more.

      2. badflorist

        Re: Throw away 3 year old, core, infrastructure?

        "...cheap and cheerful variety..."

        This does not matter, Ciscco should hold the name Cisco with as much integrity as they still can. At the very least it's an exercise in software and/or hardware security. Cisco proves time and time again they have no interest in what their name stands for, so the next time you goto purchase, maybe their name should be forgotten.

    3. EricB123 Bronze badge

      Re: Throw away 3 year old, core, infrastructure?

      Oh no, yet another monthly subscription.

    4. elaar

      Re: Throw away 3 year old, core, infrastructure?

      "3 year old core infrastructure".

      You're over-egging it a bit there. It's hardware that's 10 years old now, was linksys like quality and cheap even then, and it's no more core infrastructure than my home router is.

      For an office you need a SOHO router like the old 800 or newer 900series as a minimum.

    5. Anonymous Coward
      Anonymous Coward

      Re: Throw away 3 year old, core, infrastructure?

      I fully expect that Cisco would find a way (if they haven't already) to hang their rental customers out to dry too.

  5. Anonymous Coward
    Anonymous Coward

    What?.....No mention of .....

    .....the REMAINING Fort Meade designed backdoors?

    .....or the fact that the recommended patches contain IMPROVED Fort Meade designed backdoors?

    I think we should be told!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022