Cisco Says it Won’t Issue Patches for XSS Flaw in EoL VPN Routers

Cisco has issued an advisory regarding a significant security vulnerability affecting several models of its Small Business routers.

Identified as a Cross-Site Scripting (XSS) flaw, the vulnerability poses a potential threat to network security, allowing unauthenticated, remote attackers to execute malicious scripts. This briefing provides an overview of the impacted models, the risks associated with the vulnerability, and the recommended actions for mitigation.

The advisory specifies that the XSS vulnerability impacts the web-based management interface of the following Cisco Small Business routers:

• RV016 Multi-WAN VPN Routers
• RV042 Dual WAN VPN Routers
• RV042G Dual Gigabit WAN VPN Routers
• RV082 Dual WAN VPN Routers
• RV320 Dual Gigabit WAN VPN Routers
• RV325 Dual Gigabit WAN VPN Routers

The vulnerability, cataloged under CVE-2024-20362, arises from insufficient input validation by the web-based management interface. Malicious actors can exploit this flaw by convincing a user to click on a link to a specially crafted web page, potentially leading to arbitrary script execution or access to sensitive information within the interface's context.

Unfortunately, Cisco has not released software updates to address this vulnerability, citing the affected products have entered the end-of-life process. As such, no direct fixes are available. However, Cisco advises the following mitigation steps to reduce exposure:

• Disable Remote Management: Access the router's web-based management interface, navigate to Firewall > General, and uncheck the Remote Management option.
• Block Access to Ports 443 and 60443: For added security, block these ports by creating specific access rules within the router's interface.

These measures, while not a solution to the vulnerability, can help reduce the risk of exploitation. It's important for users to evaluate these mitigations within the context of their network environment to avoid unintended disruptions.

This vulnerability underscores the importance of maintaining up-to-date network infrastructure and the risks associated with end-of-life products. Users of the affected Cisco routers should consider either applying the recommended mitigations carefully, or migrate to newer, supported devices that receive regular security updates.

The XSS vulnerability in Cisco Small Business routers serves as a reminder of the persistent challenges in cybersecurity management. By adhering to recommended practices and preparing for equipment upgrades, businesses can safeguard their networks against potential threats.