Cisco Small Business Router: Vulnerabilities and broken firmware (March 2022)

Sicherheit (Pexels, allgemeine Nutzung)[German]Owners of small business routers from Cisco are in for a tough time at the moment. In February 2022, serious vulnerabilities were found in router models of the RV160, RV260, RV340 or RV345 etc. families, some of which are rated with a CVE value of 10.0. Cisco did provide firmware updates for customers with appropriate licenses. However, the firmware is so flawed that the device cannot be used afterwards.


Advertising

Vulnerabilities in Cisco small business routers

I had reported in the blog post Cisco drama: Critical vulnerabilities in small business routers (Feb. 2022) about a security advisory from Cisco regarding its small business routers (SMB). There are several vulnerabilities in the firmware of Cisco's RV160, RV260, RV340 and RV345 series small business routers, three of which CVEs have been classified as critical with an index of 10/10. The details can be read in the linked blog post.

Firmware updates are buggy

Already when my blog post was published, blog reader Klaus got in touch and complained that the security updates of the Cisco firmware were practically unusable. He wrote:

Nice that there is new firmware for the RV340 is that the 1.0.03.26 so then the VPN function is broken. With the 1.0.03.24 VPN is broken and nothing comes in over the WAN ports.

If you need a working Cisco small business router, you have to stay with the firmware version 1.0.03.22 for the RV340 router. At the same time, the manufacturer has announced the end of support for many models, so there is no more support with firmware updates. Blog reader Haber Kurt also picked it up again in a comment dated March 7, 2022.

The Cisco forum is full of reports about bugs in the ..x.24 and ..x.26 firmware that make the device practically unusable and yet they continue to offer it instead of pulling the ripcord.

At least you are "safe" from an update now, since Cisco has continued to cut the firmware without any real warning. Since 1.3 all auto-update servers have been switched off for the series.

Downgrade to at least the still running and then with security holes provided version ..x.22 are also not supported. You can then only boot via the backup firmware if you have not yet updated it.

Question in the round: How do you deal as affected with this question?


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in devices, issue, Security and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.