Cisco won’t fix authentication bypass zero-day in EoL routers

Cisco says that a new authentication bypass flaw affecting multiple small business VPN routers will not be patched because the devices have reached end-of-life (EoL).

This zero-day bug (CVE-2022-20923) is caused by a faulty password validation algorithm that attackers could exploit to log into the VPN on vulnerable devices using what the company describes as “crafted credentials” if the IPSec VPN Server feature is enabled.

“A successful exploit could allow the attacker to bypass authentication and access the IPSec VPN network,” Cisco explained in a security advisory issued on Wednesday.

“The attacker may obtain privileges that are the same level as an administrative user, depending on the crafted credentials that are used.”

To determine if the IPSec VPN Server is enabled on a router, you have to log in to the web-based management interface and go to VPN > IPSec VPN Server > Setup.

If the “Server Enable” check box is checked, the device is exposed to CVE-2022-20923 exploitation attempts.

Luckily, Cisco says that its Product Security Incident Response Team (PSIRT) found no evidence of publicly available proof-of-concept exploits for this zero-day or any threat actors exploiting the bug in the wild until the advisory was published.

Upgrade to newer router models for protection

Cisco asked customers still using the RV110W, RV130, RV130W, and RV215W routers affected by this security vulnerability to upgrade to newer models still receiving security updates.

According to an end-of-sale announcement on Cisco’s website, the last day these RV Series routers were available for order was December 2, 2019.

“Cisco has not released and will not release software updates to address the vulnerability described in this advisory,” the company added.

“Customers are encouraged to migrate to Cisco Small Business RV132W, RV160, or RV160W Routers.”

CVE-2022-20923 is not the first severe security vulnerability affecting these EoL router models that Cisco left unpatched in recent years.

For instance, in August 2021, the company said it wouldn’t release security patches for a critical vulnerability (CVE-2021-34730) in these RV Series routers that enabled unauthenticated attackers to execute arbitrary code remotely as the root user, asking users to migrate to newer models.

In June 2022, Cisco again advised owners to switch to newer models after disclosing a new critical remote code execution (RCE) vulnerability (CVE-2022-20825) that wouldn’t get patched.