back to article Cisco warns it won't fix critical flaw in small business routers despite known exploit

Cisco "has not and will not release software updates" to address a critical flaw in four small business routers, despite having spotted proof of concept code for an exploit. The networking giant on Wednesday advised that its model RV016, RV042, RV042G, and RV082 routers are subject to CVE-2023-20025 – a critical-rated …

  1. GraXXoR Bronze badge

    I always find this sort of lack of flexibility a little disheartening. Where is the customer concern? Where is the humanity? Surely, offering a post cutoff patch would go a long way to generate goodwill and publicity.

    Though playing devil’s advocate, it might raise future expectations and even set them up for legal challenges if the good-will code has some unforeseen side effects. No good deed goes unpunished, etc.

    Probably best just to say “fk it! yer on yer own!”

    1. Bubba Von Braun
      FAIL

      "Probably best just to say “fk it! yer on yer own!”"

      I thought that's exactly what Cisco is saying!! After all "We are CISCO, resistance is futile!"

      1. alain williams Silver badge

        If it was just CISCO that took this attitude I would not be so concerned. These days most corporates take that attitude.

        Another part of the problem is that the end-of-support date is hard to find when you buy these things.

      2. Anonymous Coward
        Anonymous Coward

        "No one ever got fired for buying Cisco."

        ... though perhaps sometimes they should have been.

    2. Pascal Monett Silver badge

      Re: Customer concern ?

      That is soooo last millenium.

      These days megacorps don't even need to pretend any more. It's just "fork it over and thank your lucky stars you don't live in China".

    3. keith_w
      Black Helicopters

      As was said in the article, most small businesses don't have the expertise to block 443 or 60443, or even to find out that they need blocking, so why would anyone think that they would know to find the patch and then install it?

      1. coredump

        I had the same thought. You'd *hope* there's somebody familiar with at least the idea of patching, but putting that into practice at a SMB sans IT person (let alone "staff") is probably a longshot as often as not.

        Plus, unless Cisco et al are proactive about notifying customers of the peril, let alone the workaround / mitigation port-blocking or similar actions, what're the odds said SMB even knows they have a potentially affected device. Probably slim.

        Reality is kinda grim sometimes, eh?

  2. Yorick Hunt Silver badge

    It is Cisco, after all.

    If you weren't concerned that the NSA, CIA and FBI had backdoor access to your network through Cisco equipment, why would you be concerned if someone else also had a peek in?

    You buy based on marketing rather than research, you get what you deserve.

  3. Mishak Silver badge

    Did I read that right?

    They drop software updates whist the hardware is still in support? Isn't that the wrong way round?

    1. mark l 2 Silver badge

      Re: Did I read that right?

      I agree is Mishak, What is the point of hardware support until 2025 if they drop the software support 4 years earlier.

      Hello Cisco support our router just died. Don't worry says Cisco another one with outdated OS and unpatched security flaws is on the way to you and will be there shortly.

      1. Captain Scarlet

        Re: Did I read that right?

        Maybe whoever purchased them got them with extended warranties for the hardware?

      2. Mayday
        Thumb Down

        Re: Did I read that right? - software support

        CCIE and long time “Cisco user” Here.

        That’s EXACTLY what they do. It’s a prickly conversation I’ve been having with customers for years.

        Example:

        Mayday: “hey large hospital customer, about half of your IP phone fleet is subject to a vulnerability which allows nasties to get in from outside and run arbitrary code on them, and then can hop off and compromise other internal systems such as medical equipment, PCs and other stuff”

        Hospital guy: “Thanks for that, these are good, working phones, let’s just update the software in them to a shiny new version”

        M: they’re out of software support, you’ll need to buy thousands of new phones to replace them”

        HG: “they’re only a few years old, and they still work!”

        M: “I know. Sorry. Here’s a quote for new phones.”

        1. Mayday
          Flame

          Re: Did I read that right? - software support

          Add followup:

          Account manager: great win at $Healthmob. I’ll take you out for a drink Friday afternoon

          Mayday: cool thanks. What are you doing on the weekend?

          AM: going car shopping. Getting ripper commissions from selling all those phones to $Healthmob.

        2. Anonymous Coward
          Anonymous Coward

          Re: Did I read that right? - software support

          I suppose if they're stupid enough after that to accept your quote instead of picking another vendor, they deserve what they get next time.

          You, on the other hand, are a dirtbag if you ever give them another Cisco quote ever again.

          And you're even more of a dirtbag for putting Cisco phones on the same network as anything else. Physical separation and they'd be able to intelligently say "Don't care, phones are isolated, unlikely to get hacked, and won't hurt anything else if they do."

          1. Mayday
            WTF?

            Re: Did I read that right? - software support

            Customer were/are a Cisco shop and that’s what they wanted. No one made them accept the quote or even keep us as their preferred supplier.

            As for you, calling people names whilst hiding behind an AC. Well done.

            1. Brian 3

              Re: Did I read that right? - software support

              True Lawyer Speak: "No one made them..."

          2. david 12 Silver badge

            Re: Did I read that right? - software support

            phones are isolated ... and won't hurt anything else

            Supplier installed our phone system without changing the default password. Several $1000 AUD in call charges just in a couple of days and ramping up: we only noticed when all virtual connections were used up.

          3. Anonymous Coward
            Anonymous Coward

            Re: Did I read that right? - software support

            At $JOB-1, the office network jack for your PC or laptop was literally the daisy-chain port on your office phone. Can't remember the vendor.

            Sometime after that, maybe after an event somewhat like TFA or the OP in this sub-thread, the hardware phones went away and your office computer was plugged directly into the wall. As a replacement (billed as an upgrade) we got "soft phones", which really only worked with Corporate Windows PC's and Teams.

            Opinions varied. I'm not sure which was worse. But since I didn't care about phones (hard or soft) and left less than a year later, it didn't affect me much anyway.

            1. Down not across

              Re: Did I read that right? - software support

              At $JOB-1, the office network jack for your PC or laptop was literally the daisy-chain port on your office phone. Can't remember the vendor.

              True for many (most?) vendors. Generally the phone and the PC ports will be on different VLANs (assuming things are even vaguely properly configured).

              1. Anonymous Coward
                Anonymous Coward

                Re: Did I read that right? - software support

                No wonder those phones were so expensive.

                And probably no coincidence, no great surprise Corporate dumped them when they started bringing people back to office. Maybe they were losing their software support for those, too.

                I can't speak to the phones' config (ISTR they were Cisco but wouldn't swear to it), but it did seem to take a long time for IT to sort office datajack issues, compared to the old days when phone and PC weren't sharing a cable.

      3. coredump

        Re: Did I read that right?

        You maybe wouldn't mind so much about the gear outliving the software support if the hardware could run OpenWRT / DD-WRT or similar, but how many SMB are really up for that sort of migration?

  4. Duncan Macdonald

    Cisco :-)

    Having used the US government to disable its main competitor (Huawei), it feels that it no longer needs to provide support to its customers.

    1. Black Label1
      Black Helicopters

      Re: Cisco :-)

      The game goes both ways. Word is Huawei also MAY have used some Cisco IP tech :-)

  5. Wade Burchette

    Time to dump Cisco

    This is the second story read in the last 12 months about Cisco not properly supporting their products. The other one was about a product with short support. For security products, I expect full support at least 15 years after the last one was sold brand new. With Cisco's greedy disregard for security, I say it is time to dump their products and give our money to companies that won't make you buy a newer one -- and thus have all the headaches of properly configuring a new one -- every 5 years or so.

    1. Nate Amsden

      Re: Time to dump Cisco

      Curious can you name any such products especially in the networking space? I've been doing networking for about 20 years and haven't heard of any vendor/product remotely approaching 15 years of support after end of sale, at most maybe 5 years?

    2. elaar

      Re: Time to dump Cisco

      This isn't a "security product" though, it's a very cheap 13 year old design SOHO router, and to be fair no business EVER should have remote web management enabled on a public facing device, that's a ridiculous thing to do fullstop.

      1. david 12 Silver badge

        Re: Time to dump Cisco

        no business EVER should have remote web management

        But if it's unsafe why is it sold as a feature?

        To be fair Small Office is just about the only situation where the feature is useful. No redundant connections to allow indirect management, no redundant support to allow on-site management.

        During COVID, I was going into the factory every couple of weeks to restart elements of the computer system, Some of these trips could have been avoided if I'd allowed remote web management of the router.

        1. Anonymous Coward
          Anonymous Coward

          Re: Time to dump Cisco

          Why not a VPN to the router then effectively manage it as "local"? Surely safer to expose a VPN endpoint than a web UI?

          1. david 12 Silver badge

            Re: Time to dump Cisco

            Why not a VPN to the router then effectively manage it as "local"? Surely safer to expose a VPN endpoint than a web UI?,

            Because it was the VPN that needed to be reset.

  6. Gene Cash Silver badge

    Thanks

    More fodder for the "Don't buy Cisco" bookmarks folder.

    1. Down not across

      Re: Thanks

      Certainly think carefully before touching any of their "Cisco Small Business"/RV line kit. Some of that kit was unbelievably buggy and cisco had no interest in fixing any if the issues even whilst it was still current/supported.

      At least they support (somewhat at least) the normal enterprise kit.

  7. Kevin McMurtrie Silver badge

    Hardly the first problem

    I had one of those (RV042G I think) and it was hopeless to secure. If I reported a vulnerability, Cisco would send me a patched firmware file with a worse vulnerability. I crushed and disposed of it when the WAN ports had admin telnet permanently open with the default password. Giving it away for free would have been an act of cruelty.

    Linksys WiFi APs followed shortly for the same reason.

    1. elaar

      Re: Hardly the first problem

      It does beg the question though, why not buy a proper Cisco SOHO router (like the C900) that has a proper IOS? All of those RV routers might have the Cisco brand attached, but they're the equivalent of the cheap Linksys stuff.

      1. Anonymous Coward
        Anonymous Coward

        Re: Hardly the first problem

        I think at this point if I'm running a SMB or SOHO, rather than deal with Cisco I'd probably buy a pfSense appliance from Netgate or buy/build my own hardware and run pfSense / OPNsense.

        I'd certainly evaluate and bake-off along those lines in any case.

  8. Henry Wertz 1 Gold badge

    What does this mean?

    What does it mean to "support the hardware" but not provide software updates even for critical security flaws? Isn't this nonsense and gibberish? Does it mean Cisco will keep billing you for "support" while (since they are not even patching critical flaws) really providing no support? Does it mean there's some kill switch in there, and the thing will fully drop dead in 2025? Does it mean there's some Cisco switch equivalent of DD-WRT* and Cisco will continue to consider the box supported (since they have already abandoned the software, but apparently not the hardware.) (Really I'm taking the piss on this last option, I'm sure Cisco would not permit that to happen.)

    *DD-WRT is aftermarket firmware for wireless access points, for those many "consumer" access points where the stock hardware may be fine but the stock firmware can be awful, feature-poor, buggy, and not receive updates for long at all.

  9. Anonymous Coward
    Anonymous Coward

    Out sourced our network security

    We're a small business.

    We out sourced our windows setup, network management, security and VPN last year.

    It was cheaper then employing someone and less risky then trying to do it ourselves.

  10. jeff_w87

    White Box Switches and Cumulus Linux

    We bought a few of these for a backnet solution a few years ago as a test case and they worked great (also 1/3 the cost of a comparable Cisco solution)! Easy to manage, configure and secure since it's Linux based. Also available for Mellanox switches as well if you don't want to go the "white box" route. Might be worth a look for anyone looking to move on from Cisco's lack of support for their products.

    1. Nate Amsden

      Re: White Box Switches and Cumulus Linux

      People could have the same issue here depending on their hardware. When Nvidia bought Mellenox they killed off support for Broadcom on Cumulus Linux, had a lot of upset users. Looks like Cumulus 4.2 was the last one to support Broadcom chips. (I have never used Cumulus/Mellenox or white box switches in general myself)

      Assuming you purchased your gear before the acquisition(2020), since you said "a few years ago", so hopefully your switches are not Broadcom based if you ran them with Cumulus.

  11. cFortC

    Don't enable remote management

    The workaround is simple: disable remote management.

    These types of routers are almost always used in the home or SOHO where the requirement for remote management is nil.

    1. Kevin McMurtrie Silver badge

      Re: Don't enable remote management

      Firsthand experience: The remote admin switch might not actually turn off all remote administration. Even if it does, there are still LAN attacks from compromised apps or IoT.

  12. DerekCurrie
    Mushroom

    How Inspiring!

    Owners of these routers are of course inspired to buy anything else from Cisco. /sarcasm

  13. sreynolds

    So much for your right to repair....

    Very soon people will cotton on to the fact that they paying a huge amount for a service that is being bundled with the hardware.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like