back to article Dump these small-biz routers, says Cisco, because we won't patch their flawed VPN

Cisco patched three security vulnerabilities in its products this week, and said it will leave unpatched a VPN-hijacking flaw that affects four small business routers. Those small-biz routers – the RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router – …

  1. Anonymous Coward
    Anonymous Coward

    So businesses paid for a VPN that is suddenly not so Private anymore? Sounds like a lawsuit waiting to happen.

    That aside, VPNs are really not fit for the way people work nowadays (BYOD, home-working, multi-cloud environments). I think the likes of Twingate have the right approach here - fully software-based, no public gateways, access at resource level rather than entire subnets (so no need to mess with firewall rules), client device controls and ability to span cloud/on-prem. So refreshing.

    1. stiine Silver badge

      No, the VPN has not been secure, except for the versions between 20.3 and 20.6*.

      * - unless 20.4 and 20.5 were vulnerable to different bugs, and then they've never been secure.

    2. The Man Who Fell To Earth Silver badge

      OpenWrt or DD-WRT?

      One would hope one of the myriad of open source router OS's will work with these units.

      1. TeeCee Gold badge
        Facepalm

        Re: OpenWrt or DD-WRT?

        Small Business Routers.

        Thus very unlikely to have the necessary Rocket Scientist on staff to install and configure such.

        No professional third-party in their right mind would take the job on. Putting yourself in the position of being potentially liable for outages on a lash-up like that, with no manufacturer support, would be suicidally stupid.

        1. gerdesj Silver badge
          Windows

          Re: OpenWrt or DD-WRT?

          I would take the job on if asked and I would point out that it will take at least a day and at my rate that is quite a lot of lolly.

          On the other hand, you can have one of these nice four port APU4 based boxes running pfSense, that I can have up and running inside two hours. I keep a stock of them and will have your config backed up and to hand and can replace it within a drive plus 30 mins, if it fails.

          If you want a CARP (VRRP) clustered jobbie and have a suitable WAN, I can do that too - all for less than trying to wedge a new OS on your ancient hardware.

          "Thanks" to the pandemic I have a black belt in VPNs, routing, RADIUS, VoIP and all the other paraphernalia of remote working. At one point during the pandemic, I had the WAN at Kingston Comms emulated in my dining room (IPv4 and 6) so I could set up a customer system from Hull - a pair of Fortinets with thirty odd VLANs on the inside, rather a lot of IPSEC tunnels and a lot of port forwards. I have consumer grade Netgears at home so I couldn't use a CLI to magic loads of VLANs etc, so a lot of clicking ensued. I even used IPv6 NPT, some fancy footwork and a couple of tiny VMs on my home ESXi to emulate their external facing web gear. Obviously, I whipped up a DNS server with split horizon to emulate the internal and external facing experience. I might have gone a bit far at times but whilst everyone else was learning how to bake soda bread, I was doing my job 8) I also colour coded all the Forti firewall rules and the NAT related stuff (it's a right old palava on a Forti). It looked sodding complicated, yet logical by the time I finished it.

          It took me two weeks to setup and test. I shipped them oop North (I'm in Somerset) with an excruciatingly detailed set of wiring instructions and photos and spreadsheets, and they fitted them and cracked on.

          That's how professionals operate, in my opinion. You don't take the piss out of the customer - you cost up their request and offer an alternative that might work better and be more cost effective

    3. The Man Who Fell To Earth Silver badge

      Open soirce

      There are a boatload of open source router OS's these days. Surely one of them works with these units.

  2. spireite Silver badge

    VPN becomes.....

    .... a Virtual Paying Network then?

  3. emfiliane

    I was all set to be mad

    ...but a set of basically throwaway small biz devices released in 2011? They're basically consumer routers with a Cisco Enterprise flash and support contract on them, sold for an extra couple hundred. It's not going to kill a SOHO to replace them, and compared to most SOHO devices that get 2-5 years of updates, 10 years is actually pretty damn good. Most probably already have, whether hardware failure or being hamstrung by a 1x1 Wifi N.

    I can rage all day at every provider of entry level hardware, from consumer to enterprise, for abandoning it long before its useful life expires, but that doesn't actually seem to be the case here. You can swap in any $5 router with L2TP server from Craigslist and you wouldn't notice.

    1. tiggity Silver badge

      Re: I was all set to be mad

      Last sold in 2017. 5 years ago. More relevant than when first sold

      And not that throwaway / cheap.

      People get irked by the manufactures choice to stop upgrades and so ensure short lifetimes of hardware

      For home use I buy "prosumer" kit (as the basic aimed at home users stuff is really dire in functionality & security) and my wallet does not enjoy the hit of periodic EOL enforced upgrades AKA new purchases.

      1. Wade Burchette

        Re: I was all set to be mad

        A security product that was last sold in 2017, I expect support for it to continue to 2032, which is 15 years after the last one was sold. This is one of the many reasons I don't like Cisco SOHO products. 5 years for products like this is at least 10 years too short!

        I hate the games companies play with support and security upgrades. Some Android phones once only gave you 18 months of security upgrades. Teamviewer, Garmin, and TomTom define lifetime differently than how I define lifetime. I found out that to each of them, "lifetime" means "until we stop supporting it", not until I or the product dies. The last GPS update for my 17 year old car was 8 years ago -- Nissan didn't even bother giving me 10 years of map updates! I like holding on to my stuff because I hate going through the time and hassle of learning something different. When companies cheap out on support, I try to vote with my wallet.

        1. VoiceOfTruth

          Re: I was all set to be mad

          -> I expect support for it to continue to 2032, which is 15 years after the last one was sold.

          Can you tell us which products you are currently buying?

          1. Giles C Silver badge

            Re: I was all set to be mad

            Well as the standard cisco eos policy is 5 years support after the end of sale date

            https://www.cisco.com/c/en/us/products/eos-eol-policy.html

            It wont be Cisco. I don’t think anyone supports kit for that long.

            Just checked and Arista and Juniper are also 5 years

            Extreme is 12-36 months depending on the product.

            So in the enterprise network space when something goes end of sale expect to replace it within 5 years (assuming you still want support on it)

            1. VoiceOfTruth

              Re: I was all set to be mad

              This is sort of my point. I don't think any networking supplier does support 15 years after the last sale. There might be edge cases, e.g. in government and military use, but not in general. And not for the low end.

              I've seen equipment in use long (years) after the support contract ended. It wasn't front line, but there it was.

              1. Giles C Silver badge

                Re: I was all set to be mad

                Depends on the use case.

                Firewalls and edge equipment I wouldn’t do this with, layer 2 switches can last years, as long as you have a spare or two to swap out if something goes bang.

                I once found a 15 year old switch that someone had installed as a quick fix, however as this had a very low MAC address it became the root bridge for the network, until I spent a weekend reprogramming the spanning tree across the site…

              2. Roland6 Silver badge

                Re: I was all set to be mad

                >This is sort of my point. I don't think any networking supplier does support 15 years after the last sale.

                A quick look at the Draytek UK site - the 2830 was also launched in 2011, last update 2018.

                So I would suggest Cisco's level of support is in line with other vendors who take the small business market seriously.

                1. badflorist Bronze badge

                  Re: I was all set to be mad

                  When it comes to the software exclusively (minus phone support etc.), the complexity of the fix should determine "support" not some fixed time period.

                  Companies like to argue about the cost of "testing" while it's ever apparent that basically no company spends money on testing, I doubt they even run a POST before being boxed in China.

                2. Doctor Syntax Silver badge

                  Re: I was all set to be mad

                  "other vendors who take the small business market seriously."

                  Or for granted.

            2. Anonymous Coward
              Anonymous Coward

              Re: I was all set to be mad

              Yeah, 15 years is insane. Not that old IOS routers haven't collected dust for that long, but nobody should be expecting that as a norm, and a cheap model (Compared to a carrier or datacenter router) shouldn't be expected to go beyond 5 years.

              SOHO stuff should probably self destruct after 3, especially if it has a built in wifi AP. I have paid bounties on my neighbors old gear to stop people from using shit b/g stuff that's decades old.

              If you do need a 20 year router, I have one thing to say. BSD.

              That and a box of spares will get you there.

          2. Oh No, Not Again

            Re: I was all set to be mad

            Hammer and chisel?

      2. Anonymous Coward
        Anonymous Coward

        Re: I was all set to be mad

        5 years is ages for Cisco kit...by the time their kit filters through the various layers inside telecoms companies etc, it's obsolete.

        Up until about 3 months, Virgin Media was still selling Cisco ATA devices that went EOL years ago...and they didn't start selling them until 6 months before they went EOL.

        Hardly anyone these days buys Cisco kit for SOHO or SME these days. I mostly see Juniper (shiver), Draytek (not bad) and Mikrotik (awesome).

    2. Mishak Silver badge

      They may be "cheap" (not so expensive), but...

      What about the environmental impact of replacing what would be perfectly serviceable were it not for a software defect that could be fixed?

      1. ThatOne Silver badge
        Devil

        Re: They may be "cheap" (not so expensive), but...

        > What about the environmental impact

        Environmental impact and profit collide: Which one breaks?

        1. P. Lee

          Re: They may be "cheap" (not so expensive), but...

          You can solve the problem by splitting hardware and software. Open source firewalls/routers and commodity hardware.

          It seems there are things companies can’t do.

          1. ThatOne Silver badge

            Re: They may be "cheap" (not so expensive), but...

            > You can solve the problem by splitting hardware and software

            That would reduce profits, as you would only sell new software. Besides the point of new software is to require some feature your current hardware doesn't have, so you have to buy everything all over again, software + hardware. Like in the past.

    3. Snake Silver badge

      Re: I was all set to be mad

      I discussed this very topic / router subgenre 3 months ago

      https://forums.theregister.com/forum/all/2022/06/16/cisco_critical_patches/#c_4478456

      They were antiques well before this point in time; this is Cisco only now reaffirming this fact. The RV110 was never 'great' even when new and, frankly, it did not age well; I was glad to be able to use the opportunity to say "Good riddance!" to it when I could justify it to my boss (who allowed the purchase via his tech bother-in-law) when we moved.

  4. train_wreck

    Why do they recommend moving to the RV160? That device will receive its last software update in roughly a week from now…. (Cisco has let all the RV series devices languish for many years, IMO they would very much like to give up on them and please won’t you just buy a $1000+ firepower device/subscription)

    Source for EOL: https://www.cisco.com/c/en/us/products/collateral/routers/small-business-rv-series-routers/eos-eol-notice-c51-2655972.pdf

    1. mark l 2 Silver badge

      Probably so Cisco can tell sell them ANOTHER router after their replacement goes EOL.

      1. Anonymous Coward
        Anonymous Coward

        SHHH.

        You aren't supposed to point out the fact that they like to push you from obsolete crap to nearly obsolete crap.

        I mean your totally right, but your rep will hate you for pointing it out.

        Also watch out for cold calls asking about or offering you quotes. They are just trying to lock up your account in Cisco's computer system(that's designed to make it harder for resellers to poach each others clients).

        That means that even if you normally deal with another rep you may not be able to get the best pricing on your next purchase, which the cold calling company is not required to give you. Most of them are just spammers that will sell the lead to another bidder anyway. So if you want a decent deal, call the company you want to use first, beat them up, and tell any others what they have to beat. Your original bid can probably then undercut the best offer because of the built in hidden discount.

        This is stupid, and a waste of everyone's time, but it may save you some scratch.

        1. M.V. Lipvig Silver badge

          Re: SHHH.

          Really? If someone did that to me, that company would lose my business until the end of time. I will not be told who I can and cannot buy from, and if I am forced to buy from someone I don't wish to deal with I won't buy at all.

  5. OhForF'

    Hard-/Software expiration date

    Hardware and software have a very short lifecycle – like dairy products – and come with an expiration date,

    Last time i checked all dairy products had a best use before date on the outside of the packaging; i haven't seen a router that specified when it will go EOL like that.

    Dairy products go bad with time and there is no way to revert that process so you can't repair them.

    Software doesn't go bad, bugs are usually in there from the get go and some get known over time but that can be patched.

    Hardware should easily be able to work for longer than 5 years and any it should be possible to replace parts that fail early.

    IMHO the very short lifecycle of hard- and software is artificially created by design as the vendors want their customers to make recurring purchases.

    At the least Vendors should have to specify the earliest date they might decide to no longer provide patches and replacement parts.

    The source code along with instructions how to set up the build infrastructure and build and install the binaries on the device should be put in escrow and once the vendor declares it EOL the customers should get access.

    1. Nick Ryan Silver badge

      Re: Hard-/Software expiration date

      In the case of Cisco, recurring purchases due to forced obsolescence and a subscription to allow you to use the hardware that you thought you paid for.

      Our last networking hardware refresh removed all Cisco network switched and firewalls. Unfortunately Cisco bought Meraki in 2012...

      1. emfiliane

        Re: Hard-/Software expiration date

        Meraki's buyout was one of the most crushing experiences for me, what was a disruptor was now about to be a cash cow, and that's exactly what happened. They weren't perfect, but they were leaps and bounds better than competitors at the time.

        Ubiquiti has resisted buyouts, but they've continually climbed up the enterprise mesh networking ladder and left your average one-off buyer behind, where they used to be the instant automatic buy for one or a handful on a site.

    2. ThatOne Silver badge
      Facepalm

      Re: Hard-/Software expiration date

      > Hardware and software have a very short lifecycle

      Of course you're not supposed to ask the embarrassing question - Why?

      It's presented here as an obvious and indisputable truth, but if you think about it there is actually no rational reason: Hardware, no matter how cheap, will easily last a decade or two, and software will last as long as the support it is stored on. Ah yes, bugs. But they aren't supposed to be there, are they. Not the first day and even less several years later.

      The only reason for the, attention, not just "short" but "very short" lifecycle is greed.

      1. LateAgain

        Re: Hard-/Software expiration date

        No no no. (probably)

        After a couple of years everyone who knew how it was built gets fired (outsourced or contractors)

        1. Mark Hahn

          Re: Hard-/Software expiration date

          There's nothing edgy about this kind of hardware: off-the-shelf microcontrollers and commodity switch chips.

      2. Anonymous Coward
        Anonymous Coward

        Really?

        In a 5 year span I have seen the upstream connections for routers jump from 1 MB through 10 and 100MB, and again from 100mb to 1g and now 10g. Five years from now it will be at least 100G.

        The underlying hardware may work but it's probably irrelevant. I can live with 5+, and I don't need 10 or 15. Mostly because I'd rather spend on cheaper hardware that lasts 5 years then expensive gear that is reliable and over spec enough to be relevant in 15 years.

        That is to say, if I need a 1g WAN connection, I buy a 1G or 10G rated part that serves my immediate needs, not a 200-400GB part that probably won't even use the same connectors as the gear 15 years into the future.

        1. Twanky Silver badge

          Re: Really?

          If the load/speed has increased over time then yes, the hardware will probably not be suitable unless it was massively over-specced when new. However, it is not unusual (at least, it wasn't unusual for me) to re-deploy kit to smaller sites in a multi-site setup. It's not great to hear when trying to standardise on kit from the same 'stable' to be told - yeah you've got a known bug in that gear but we've no intention of fixing it. It's the sort of thing that would make me actively look for a different 'stable' to standardise on.

  6. Anonymous Coward
    Anonymous Coward

    Remote authentication bypass

    Since when has a RAB been a medium severity flaw?

    I'm assuming it's because it's the customer requested feature of all cicso equipment?

  7. Duncan Macdonald Silver badge
    Mushroom

    Having bribed the US government to ban Huawei

    Cisco now does not need to fear its customers fleeing to better products from its main competitor.

    Icon for what should happen to politicians that act against their citizens interest because of bribes ====>

    1. Anonymous Coward
      Anonymous Coward

      Not my first guess of companies that are threateing ciscos router market

      Literally never seen one in a rack either. Plenty of their Telco stuff in other industries before the bans. Sounds like it was a bigger deal where you work, but I wouldn't expect a peasant uprising on that one any time soon.

      I'd offer to let them ban Cisco here too, but while it would put a smile on my face to get the crap out of my racks, I doubt either your bosses or the PRC would consider it a fair trade. I can't blame them.

      I don't trust Huawei. I KNOW cisco is overpriced crap these days.

  8. katrinab Silver badge
    Meh

    My advice for a small business would be

    Find an old retired desktop computer.

    Put a £10 ethernet card in it for an additional network port.

    If it has a graphics card in it, and the CPU has iGPU, take the graphics card out.

    Install OPNsense or pfSense on it.

    Use that as your router / VPN gateway.

    1. Anonymous Coward
      Anonymous Coward

      Re: My advice for a small business would be

      I bought my firewall router in 2008, it is still receiving regular updates and is still forwarding packets faster that my broadband, it' also only burns about 20-30W so a lot less than an old do it yourself power hungry PC. My gateway is made by Mikrotik, a company that doesn't rip off their customers.

    2. Roland6 Silver badge

      Re: My advice for a small business would be

      Way too much effort and the running cost with a >300W power supply etc. - electricity is no longer cheap.

      A change of ISP. It surprised me how many business ISPs still supply a , albeit cheap - router with new contracts.

      If you really want to DIY, the Pi would be a better platform..

      1. Anonymous Coward
        Anonymous Coward

        Re: My advice for a small business would be

        Pi's tend to be bandwidth bottlenecks on cable modem or better networks, just as a heads up. So keep that in mind if you are either enthusiastic about your network speeds. If you aren't on the base plan it might be cheaper to buy a faster router and drop to a slower connection till it pays for itself.

        To be fair many home routers are also throttling faster connections. There are other single board computers with dual ports out there for a bit more money though, and even a cheap SFF dell with an extra network card would do the job for well under 75w.

        Another option is a small PoE switch in firewall mode powering your Wireless APs. The cisco SG-350 8 port isn't terrible for that, and you can use standalone APs from another company like Ubiq if you want.

        1. Roland6 Silver badge

          Re: My advice for a small business would be

          >Pi's tend to be bandwidth bottlenecks on cable modem or better networks

          Agree they do have some limitations, however, I was pitching at the:

          "Find an old retired desktop computer.

          Put a £10 ethernet card in it for an additional network port." platform proposition.

          In my experience that will be a pre-2014 desktop ie. it probably ran XP and was upgraded to W7 - so x64 if you are lucky, so probably not much better than a Pi...

          >To be fair many home routers are also throttling faster connections.

          This is also a problem with low end "small business" routers.

          >Another option is a small PoE switch...

          Need to watch these as they tend to be "desktop" spec.

          So agree, unless your ISP supplies a reasonable router, it is best to spend a little more and get something more suited to small businesses and expense it.

  9. Paul Crawford Silver badge
    Joke

    Good job we did not buy Huawei due to poor software practices and security risks!

    Oh, somebody bought Cisco instead?

    Damn, in the same hole but with the pizza and Xmas party budget blown.

  10. JimmyPage
    FAIL

    It's the modern way

    Who remembers the days of hi-fi seperates ?

    Yes, "music centres" seemed a good idea. Until you realised you were stuffed if you wanted to upgrade your amp. Or cassette deck.

    How many people had to shove their first CD player through the "Aux" plugs ?

    Same with "Smart" TVs. Once the software is out of interest, you can be shafted. That's why I ignore all "Smart" features (causing sales droids to weep). All I want is the panel. I'll plug my media in myself, thank you very much.

    Same for cars. No, I don't want your (invariably shite) media experience. Just play what my media device is casting.

    Now it's telecoms. All-in-one routers are all very well for the domestic plug'n'play market where tech support is a mate on a pint basis. But if you aspire to running a grown up business, then (as I do) you set your kit up in components. I have a dedicated server handling my OpenVPN connections that (a) has a fallback and (b) can be upgraded independently of whatever routers or switches I am using.

    Surely no one reading El Reg lets their VM "Superhub" act as their router ? I don't

    1. TRT Silver badge

      Re: It's the modern way

      Hell no. I have that set to modem mode and use a Cisco small business RV series router / firewall. I mean you can trust Cisco, right? Right? Bueller...

      :(

    2. Anonymous Coward
      Anonymous Coward

      I just set the handoff to bridge mode

      I figure the 1st hop device from the carrier will filter out any local network traffic right?

      1. TRT Silver badge

        Re: I just set the handoff to bridge mode

        ROFL.

    3. jollyboyspecial Bronze badge

      Re: It's the modern way

      The "aux plugs" a direct line level input to the amp. Just like if you owned a separate amp all the inputs (except phono) were line level inputs. So exactly the same thing.

      The problem with music centres was twofold. Firstly the component parts were usually of a low standard and secondly that you couldn't upgrade any one part. Most of them had at least one aux input so adding components wasn't a problem. Not that I ever owned one.

      However I don't see how this compares to this situation

  11. GraXXoR

    If I were trying to boost income and were an unscrupulous company, I, too would make sure that all my customers were made keenly aware of a massive, unpatched vulnerability in my products a couple of days/weeks after they left extended support.

  12. jollyboyspecial Bronze badge

    News?

    Vendor won't patch out of support kit is not news

  13. M.V. Lipvig Silver badge

    All you pro-EU folks,

    Ask the EU why they're so black instead of green, and when they ask in shocking tones why you would think that, bring this up. No use in me bringing it up in the US where profit trumps all, but the EU will at least make the attempt. Something like "must support 20 years past the last one sold" would be great seeing as the magic smoke seals tend to give out after 15 to 20 years. There is absolutely no reason why working hardware should be tossed, and not everyone needs the latest bit of flashy flash for their business. I, for example, just require that my router connects me to the internet and that nobody be able to take it over.

    A lot of this could be fixed by holding the equipment makers financially and criminally responsible if a bug allows their gear to be compromised. Then, they would be selling shiny only after it was thoroughly tested, and they would send a bug fix as soon as a vuln was found.

    1. jollyboyspecial Bronze badge

      Re: All you pro-EU folks,

      Read the story again. The kit in question was out of support before the particular vulnerability was found.

      Or are you suggesting that all kit should be supported forever?

      And IT kit is probably the least vulnerable kit around. Cars are a fantastic example - so many automotive "security" systems are vulnerable by design, but you don't seem to be suggesting care manufacturers should be fined every time a car is stolen. The locks on your house are likely to be vulnerable to very simple attacks, should lock manufacturers be fined every time a house is broken into? Residential security systems are often vulnerable to simple attacks too. Should manufacturers of house alarms be subject to fines? And so on and so on.

  14. Mattknz1

    These things were rubbish.

    I inherited 4 of them at a previous job, they were used as VPN gateways between small sites. Best thing ever was a CVE around 2018 that warranted replacing them . They were trash tier, interface going non-responsive and forever having to reboot them.

    I'd argue they sold them for for about 3 years longer than they should have.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like