Cisco warns it won't fix critical flaw in small business routers despite known exploit Cisco "has not and will not release software updates" to address a critical flaw in four small business routers, despite having spotted proof of concept code for an exploit. The networking giant on Wednesday advised that its model RV016, RV042, RV042G, and RV082 routers are subject to CVE-2023-20025 – a critical-rated …
I always find this sort of lack of flexibility a little disheartening. Where is the customer concern? Where is the humanity? Surely, offering a post cutoff patch would go a long way to generate goodwill and publicity.
Though playing devil’s advocate, it might raise future expectations and even set them up for legal challenges if the good-will code has some unforeseen side effects. No good deed goes unpunished, etc.
Probably best just to say “fk it! yer on yer own!”
I had the same thought. You'd *hope* there's somebody familiar with at least the idea of patching, but putting that into practice at a SMB sans IT person (let alone "staff") is probably a longshot as often as not.
Plus, unless Cisco et al are proactive about notifying customers of the peril, let alone the workaround / mitigation port-blocking or similar actions, what're the odds said SMB even knows they have a potentially affected device. Probably slim.
Reality is kinda grim sometimes, eh?
I agree is Mishak, What is the point of hardware support until 2025 if they drop the software support 4 years earlier.
Hello Cisco support our router just died. Don't worry says Cisco another one with outdated OS and unpatched security flaws is on the way to you and will be there shortly.
CCIE and long time “Cisco user” Here.
That’s EXACTLY what they do. It’s a prickly conversation I’ve been having with customers for years.
Example:
Mayday: “hey large hospital customer, about half of your IP phone fleet is subject to a vulnerability which allows nasties to get in from outside and run arbitrary code on them, and then can hop off and compromise other internal systems such as medical equipment, PCs and other stuff”
Hospital guy: “Thanks for that, these are good, working phones, let’s just update the software in them to a shiny new version”
M: they’re out of software support, you’ll need to buy thousands of new phones to replace them”
HG: “they’re only a few years old, and they still work!”
M: “I know. Sorry. Here’s a quote for new phones.”
Add followup:
Account manager: great win at $Healthmob. I’ll take you out for a drink Friday afternoon
Mayday: cool thanks. What are you doing on the weekend?
AM: going car shopping. Getting ripper commissions from selling all those phones to $Healthmob.
I suppose if they're stupid enough after that to accept your quote instead of picking another vendor, they deserve what they get next time.
You, on the other hand, are a dirtbag if you ever give them another Cisco quote ever again.
And you're even more of a dirtbag for putting Cisco phones on the same network as anything else. Physical separation and they'd be able to intelligently say "Don't care, phones are isolated, unlikely to get hacked, and won't hurt anything else if they do."
phones are isolated ... and won't hurt anything else
Supplier installed our phone system without changing the default password. Several $1000 AUD in call charges just in a couple of days and ramping up: we only noticed when all virtual connections were used up.
At $JOB-1, the office network jack for your PC or laptop was literally the daisy-chain port on your office phone. Can't remember the vendor.
Sometime after that, maybe after an event somewhat like TFA or the OP in this sub-thread, the hardware phones went away and your office computer was plugged directly into the wall. As a replacement (billed as an upgrade) we got "soft phones", which really only worked with Corporate Windows PC's and Teams.
Opinions varied. I'm not sure which was worse. But since I didn't care about phones (hard or soft) and left less than a year later, it didn't affect me much anyway.
At $JOB-1, the office network jack for your PC or laptop was literally the daisy-chain port on your office phone. Can't remember the vendor.
True for many (most?) vendors. Generally the phone and the PC ports will be on different VLANs (assuming things are even vaguely properly configured).
No wonder those phones were so expensive.
And probably no coincidence, no great surprise Corporate dumped them when they started bringing people back to office. Maybe they were losing their software support for those, too.
I can't speak to the phones' config (ISTR they were Cisco but wouldn't swear to it), but it did seem to take a long time for IT to sort office datajack issues, compared to the old days when phone and PC weren't sharing a cable.
This is the second story read in the last 12 months about Cisco not properly supporting their products. The other one was about a product with short support. For security products, I expect full support at least 15 years after the last one was sold brand new. With Cisco's greedy disregard for security, I say it is time to dump their products and give our money to companies that won't make you buy a newer one -- and thus have all the headaches of properly configuring a new one -- every 5 years or so.
no business EVER should have remote web management
But if it's unsafe why is it sold as a feature?
To be fair Small Office is just about the only situation where the feature is useful. No redundant connections to allow indirect management, no redundant support to allow on-site management.
During COVID, I was going into the factory every couple of weeks to restart elements of the computer system, Some of these trips could have been avoided if I'd allowed remote web management of the router.
Certainly think carefully before touching any of their "Cisco Small Business"/RV line kit. Some of that kit was unbelievably buggy and cisco had no interest in fixing any if the issues even whilst it was still current/supported.
At least they support (somewhat at least) the normal enterprise kit.
I had one of those (RV042G I think) and it was hopeless to secure. If I reported a vulnerability, Cisco would send me a patched firmware file with a worse vulnerability. I crushed and disposed of it when the WAN ports had admin telnet permanently open with the default password. Giving it away for free would have been an act of cruelty.
Linksys WiFi APs followed shortly for the same reason.
What does it mean to "support the hardware" but not provide software updates even for critical security flaws? Isn't this nonsense and gibberish? Does it mean Cisco will keep billing you for "support" while (since they are not even patching critical flaws) really providing no support? Does it mean there's some kill switch in there, and the thing will fully drop dead in 2025? Does it mean there's some Cisco switch equivalent of DD-WRT* and Cisco will continue to consider the box supported (since they have already abandoned the software, but apparently not the hardware.) (Really I'm taking the piss on this last option, I'm sure Cisco would not permit that to happen.)
*DD-WRT is aftermarket firmware for wireless access points, for those many "consumer" access points where the stock hardware may be fine but the stock firmware can be awful, feature-poor, buggy, and not receive updates for long at all.
We bought a few of these for a backnet solution a few years ago as a test case and they worked great (also 1/3 the cost of a comparable Cisco solution)! Easy to manage, configure and secure since it's Linux based. Also available for Mellanox switches as well if you don't want to go the "white box" route. Might be worth a look for anyone looking to move on from Cisco's lack of support for their products.
People could have the same issue here depending on their hardware. When Nvidia bought Mellenox they killed off support for Broadcom on Cumulus Linux, had a lot of upset users. Looks like Cumulus 4.2 was the last one to support Broadcom chips. (I have never used Cumulus/Mellenox or white box switches in general myself)
Assuming you purchased your gear before the acquisition(2020), since you said "a few years ago", so hopefully your switches are not Broadcom based if you ran them with Cumulus.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
