Cisco won’t fix zero-day RCE vulnerability in end-of-life VPN routers

In a security advisory published on Wednesday, Cisco said that a critical vulnerability in Universal Plug-and-Play (UPnP) service of multiple small business VPN routers will not be patched because the devices have reached end-of-life.

The zero-day bug (tracked as CVE-2021-34730 and rated with a 9.8/10 severity score) is caused by improper validation of incoming UPnP traffic and was reported by Quentin Kaiser of IoT Inspector Research Lab.

Unauthenticated attackers can exploit it to restart vulnerable devices or execute arbitrary code remotely as the root user on the underlying operating system.

“Cisco has not released and will not release software updates to address the vulnerability described in this advisory,” the company says.

“The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process.”

According to an announcement on Cisco’s website, the last day these RV Series routers were available for order was December 2, 2019.

The company asks customers who are still using these router models to migrate to newer Cisco Small Business RV132W, RV160, or RV160W Routers that still receive security updates.

Additionally, Cisco says that its Product Security Incident Response Team (PSIRT) is not aware of any public proof-of-concept exploits for this zero-day or any threat actors exploiting the bug in the wild.

Mitigation available

The bug impacts the RV110W, RV130, RV130W, and RV215W router models ONLY if the UPnP service is toggled on.

According to Cisco, UPnP is only enabled by default for these devices on LAN (local area network) interfaces and disabled by default for all WAN (wide area network) interfaces.

Affected router models are not considered vulnerable if the service is disabled on both the LAN and WAN interfaces.

While Cisco doesn’t plan to release security updates to address this critical vulnerability, admins can remove the attack vector to block attacks by disabling the UPnP service on all impacted routers via their web-based management interface.

“To determine whether the UPnP feature is enabled on the LAN interface of a device, open the web-based management interface and navigate to Basic Settings > UPnP,” Cisco added. “If the Disable check box is unchecked, UPnP is enabled on the device.”

Zero-day waiting for a patch

Cisco revealed two weeks ago that another remote code execution (RCE) bug in the Adaptive Security Device Manager (ADSM) Launcher disclosed last month is a zero-day that is yet to receive a security update.

The company also released a patch for another zero-day vulnerability (CVE-2020-3556) in the Cisco AnyConnect Secure Mobility Client VPN software six months after initial disclosure, even though it was aware of publicly available proof-of-concept exploit code.

Even though Cisco did not share the reason behind the delay, a fix was likely not a priority because there was no evidence of in the wild abuse and default configurations were not vulnerable to attacks.

While threat actors did not exploit these two flaws, they pounced on a Cisco ASA bug (partially patched in October 2020 and fully addressed in April 2021) immediately after a PoC exploit was released on Twitter.