End-of-life Cisco VPN Routers Open for RCE Attacks


Censys recently reported that there are 19,500 end-of-life Cisco VPN routers being used by individuals and small businesses on the internet that may be at risk of being targeted by a new attack. 

Using a combination of the two vulnerabilities mentioned below, threat actors have been able to evade authentication processes and execute arbitrary commands on Cisco Small Business routers based on the underlying operating system:-

End-of-life Cisco VPN Routers Open for RCE Attacks

Routers Affected by the Vulnerability

There are four Cisco small business routers that are affected by this vulnerability, and here below we have mentioned them:-

End-of-life Cisco VPN Routers Open for RCE Attacks

Top Countries Running a Vulnerable Cisco Device

Here below we have mentioned the top ten countries that are currently running a vulnerable Cisco device:-

EHA

  • United States: 4,594
  • Canada: 1,748
  • India: 1,508
  • Brazil: 1,355
  • Poland: 1,314
  • Argentina: 1,156
  • Thailand: 806
  • Mexico: 535
  • Colombia: 489
  • China: 446

Thousands of Vulnerable Routers

There is a critical severity vulnerability in routers that allows unauthenticated attackers to bypass the authentication process and gain root access. This vulnerability can be exploited remotely by sending specially crafted HTTP requests to the router’s web-based management interface. 

Gaining root access means that the attacker has complete control over the router and can make changes, access sensitive information, and potentially use the router as a pivot point to attack other devices on the network. 

​Cisco affirmed that even though end-of-life devices will no longer receive security updates, users can still take steps to protect them from attacks. 

Recommendation

A recommended solution is to disable the web-based management interface and block access to ports 443 and 60443. Doing so would prevent any exploitation attempts on the device.

To do so you have to follow the simple steps that we have mentioned below:- 

  • First of all, log into each vulnerable router’s web-based management interface.
  • Then go to Firewall
  • After that, you have to go to General.
  • Now, uncheck the Remote Management check box. 
  • That’s it, now you are done.

In the event the above mitigations are implemented, the affected routers will still be accessible via the LAN interface and could still be configured.

Here below we have mentioned a few more security measures recommended by the experts:-

  • A new risk for this CVE will be available to Censys ASM customers.
  • On me.censys.io, users can view the services that are exposed over the internet by the host they are on.
  • For the purpose of finding hosts with matching model numbers, use Censys search.

Network Security Checklist – Download Free E-Book



Source link