1. Overview of Cisco Router Vulnerabilities
On January 11, Cisco uncovered two serious Cisco Router Vulnerabilities (CVE-2023-20025 and CVE-2023-20026) in its SMB (small and medium-sized business) routers. These vulnerabilities enable unauthenticated attackers to gain full control of the target device and execute commands with root privileges.
But because these routers have reached the end of their life cycle, Cisco said it will not release new software to address the vulnerabilities on these routers.
All software versions of Cisco RV series small and medium-sized enterprise routers are affected by the two vulnerabilities CVE-2023-20025 and CVE-2023-20026.
CVE-2023-20025 is a vulnerability in the web management interface on RV series routers (RV016, RV042, RV042G, and RV082) that could allow an unauthenticated, remote attacker to bypass authentication on the device.
The reason for this vulnerability is that the system does not properly validate user input. An attacker can send a crafted HTTP request through the web management interface to exploit this vulnerability to successfully bypass authentication and obtain root access to the underlying operating system.
In addition, CVE-2023-20026 is a router remote command execution vulnerability that also occurs in the web management interface and allows an authenticated remote attacker to execute arbitrary commands on the affected device.
Because the system improperly validates user input in transmitted http packets, it may allow attackers to gain root privileges and access unauthorized data, but to exploit this vulnerability, attackers need to first obtain valid administrative credentials on the device.
“Because the product is past its lifecycle , Cisco has not and will not release a software update to address this vulnerability. There is no workaround for this vulnerability,” Cisco said in its advisory .
Currently, administrators can only disable remote management and block access to ports 443 and 60443 to mitigate the vulnerability. After implementing these mitigation measures, administrators can still access the router through the LAN interface.
The researchers noted that even though these routers have been discontinued, the existing installed base of these devices is still large.
It is not uncommon for outdated equipment to remain in use in business environments for long periods of time, and replacing the equipment is the best option to fully protect the business.
You know, this isn’t the first time this has happened.
Last September, a zero-day security vulnerability was discovered in Cisco’s RV series routers, but Cisco explicitly refused to fix the vulnerability and recommended users to buy the latest products.
It was reported that the security issue at the time involved Cisco’s VPN routers for small and medium-sized enterprises, involving the RV110W, RV130, RV130W and RV215W series. The vulnerability was numbered CVE-2022-20923 (cisco-sa-sb-rv-vpnbypass-Cpheup9O), which was related to an error in the password verification algorithm, allowing attackers to use specially prepared credentials to connect to the VPN router.
According to Cisco, the vulnerability could allow an attacker to bypass authentication and gain access to an IPSec VPN, or even the same privileges as a network administrator , depending on the application’s credentials.
For Cisco, it is not the first or second time that it has discovered security vulnerabilities but explicitly refused to fix them. The RV series routers involved this time had a vulnerability discovered in August of the previous year, and Cisco did not intend to fix it at the time. Another vulnerability was discovered in June last year, and Cisco’s attitude was still to ignore it, and it only recommended that users upgrade to the latest products.
Replacing the device is the ultimate solution to the vulnerability. Of course, some colleagues have expressed different opinions:
“If Cisco drops software support early, what’s the point of hardware support until 2025?”
“For example, door locks are vulnerable to attack. If someone picks the lock, should the door lock manufacturer be fined?”
“For security products, I expect full support for at least 15 years. Given Cisco’s disregard for security issues, I think it’s time to move on from their products and support businesses that won’t let you upgrade to new equipment to fix the problem.”
“Some stopped selling them in 2016, and support was completely discontinued in early 2022. Which product you buy will last you a lifetime?”
“I’ve been working in networking for about 20 years and I’ve never heard of any vendor/product that offers 15 years of support after the sale, the best I’ve heard of is about 5 years.”
What do you think about this?
2. What to do if a Cisco router fails?
Of course, although vulnerabilities in Cisco routers continue to appear, they are not the main reason for your router failure.
Here we share three Cisco router failure scenarios and the corresponding processing ideas. You are welcome to collect and forward them to more friends in the same industry.
2.1 Overloaded , the router’s external network port is closed
1. Network environment
A certain unit uses a Cisco router and rents a 30MB local access and a 10MB education network dual-line Internet access from China Telecom. The network has been running stably for two years and the router has not malfunctioned.
As the number of Internet users increased, the original 30MB of Telecom could no longer meet the needs, so it was decided to rent 100MB of Telecom to solve the bandwidth problem. Telecom used optical fiber to access the unit’s computer room, and used a 100M optical -to -electrical converter to convert it and connect it to the router’s external network port through a twisted pair cable. The router used a 1000M electrical port as the external network port. Since the optical-to-electrical converter only had 100MB, the speed of the port after connection was displayed as 100MB.
2. External port traffic is zero
After running for a few days, the administrator found that when the traffic at the router’s external network port exceeded 50Mbps/s every day, “Receive Errors” would appear on the port, indicating excessive traffic and a large number of error messages.
Then I couldn’t access the external network. I Telnetted to the router and found that the external network port corresponding to the telecom had no traffic and the status was UP. Other ports on the router were working normally. My first reaction was that there was a problem on the telecom side. I called the telecom side to check it. The other side quickly responded that there was no problem and asked if the optical-to-electrical converter was dead.
So the administrator restarted the photoelectric converter, but the problem persisted. There was no other way, so he had to restart the router to fix the problem. But less than an hour later, the problem reappeared.
After Telnetting to the router and executing shutdown and undo shutdown on the external network port, the fault was eliminated. However, after applying all virus-related security policies to the port and changing tcp mss to 2o48 (the manufacturer’s default is 1460), the fault still occurred.
3. Fault analysis
The administrator found that when the fault occurred, the CPU was 23% and the Memory was 33%, which were not too high. The key point was that other interfaces were working normally. It seemed that the problem was still on this port. However, this port had been used for two years. Before the upgrade and expansion, the port did not fail to communicate normally. There must be something wrong with the port hardware.
Through the network management software to detect the traffic before the port is closed, it is found that there is a lot of traffic passing through the port before it is closed (over 80Mbps/s), and there are many error messages on the display port. After analysis, it is found that it is probably caused by too much network traffic and too high utilization.
When the traffic exceeds 80%, the port cannot function properly. If the port can work in Gigabit mode, the 100MB bandwidth only uses 10% of the port, so the port can handle it easily.
4. Solution
After finding the problem, the recommended solution was to purchase a Gigabit optical-to-electrical converter to replace the original 100M equipment, which was also relatively cheap. However, in order to ensure the stability of network operation, the unit decided to directly purchase a Gigabit optical port routing module to directly use optical fiber for communication and reduce network delay.
Telecom uses port speed limit to ensure the provision of 100M bandwidth. After a period of operation, it was found that except for a small number of error messages, the port has never been closed for no reason.
If after reading this, you feel that you want to learn more about switch technology but are confused about where to start, you are welcome to send a private message to Lao Yang to inquire about the details of your study plan.
2.2 Why does the router fail to send packets?
During the configuration of a router, you often encounter this problem: the network communication is normal, the router can successfully route data packets to the target network, but the data packets sent from the router fail to be transmitted. The fault manifests itself as the router failing to ping the target network. The following is a typical case.
1. Description of the phenomenon
After the network configuration of a certain unit was completed, the administrator found that when testing the network connectivity, when sending a Ping from the PC (6.159.245.195) to the target network (6.159.245.65/26), the router R1 could successfully forward the data packet. However, when sending a Ping from R1 to the target network (6.159.245.65/26), the Ping failed.
2. Troubleshooting process
First, trace the path that the ping takes. Check the routing table of R1 , and the destination address 6.159.245.65 can be matched with 0.0.0.0/0 in the routing table. Check the routing tables of R2, R3, and R4, and you can find routing table entries that match the destination address.
Then, trace the path that the ICMP echo reply packet takes. To complete this step, you need to identify the source address of the echo reply packet. When the PC sends a ping, the destination address of the echo reply packet is 6.159.245.195. When the router R1 sends a ping, the destination address of the echo reply packet is 71.170.0.146.
By comparing R4’s routing table, a routing table entry matching 6.159.245.195 is found, but no routing table entry matching the destination address 71.170.0.146 is found.
It seems that the ICMP echo reply packet is discarded when it is processed by R4, so when sending a ping from R1 to the target network R4 (6.159.245.65/26), a pmg failure occurs.
3. Solution
Add a static route to 71.170.0.144/30 on router R4 , with the next hop address being 71.170.0.214. After completion, when R1 sends a ping to R4, everything is normal.
Although this type of network failure will not affect the normal communication of the network and the troubleshooting process is also very simple, we must consider the complete communication process when analyzing and troubleshooting network failures.
2.3 The Difficult Journey of Upgrading Cisco Router IOS
A school started to build a campus network in 2003. In recent years, the number of Internet users has continued to increase, making the original Cisco 2621 far from meeting the network needs. In addition, the OA office system is being used recently, and a VPN device is needed for off-campus users to access the on-campus OA system.
For economic reasons, they wanted to upgrade the idle Cisco 2621 router to do VPN. However, they encountered some problems during the IOS upgrade.
1. Garbled characters appear when logging into the HyperTerminal
I took out the router from the warehouse in the computer room and powered it on. I connected it through the console port and found that some garbled characters appeared on the super screen. Could it be that the console port was broken?
Analysis shows that if the console port of a Cisco device is broken, it will usually output a lot of garbled characters on the HyperTerminal screen. However, this time, the garbled characters appeared on the screen only after the Enter key was pressed, which may be due to the incorrect transmission rate per second.
The administrator changed the default value of 9600 to l15200. The router started successfully. After the router started, the console rate was indeed found to be l15200 using show run.
2. Upgrade failed due to insufficient memory
The Cisco 2621 router to be upgraded has VPN function. The original IOS version is C2600-i-mz.122-8.T4.bin. I learned from the Internet that only the K8 and K9 series IOS of Cisco 2621 can support VPN.
So the administrator downloaded the new IOS c2600-ik9o3s3-mz.123-22.bin from the Internet, which was 15MB in size.
The upgrade process is as follows:
(1) Configure the IP address of the router Interfast 0/0, first use the “copy flash:tftp” command to back up the original IOS, and then upload it using the “copy tftpd flash” command.
(2) Restart the router and find the following error message, which means there is not enough memory to run IOS:
Error:memory requirements exceed available memory Memory required:0x0284A0BC
I checked the Cisco official website and found that the 10s image c2600-ik9o3s3-mz.123-22.bin requires the router to have 64MB of memory and 16MB of Flash. From the boot information above, I can see that the router has 32MB of memory, so it cannot be started.
Later, I bought a 128MB memory stick online and replaced it. After increasing the memory, the router started successfully.
3. IOS upload verification failed via TFTP in ROM mode
Since the router IOS upgrade failed, I want to restore the original IOS. After the Cisco IOS upgrade fails, there are two ways to restore the IOS: FTP and Xmodem. TFTP has a faster transmission speed, while Xmodem has a slower transmission speed.
In ROM mode, use TFTP to upload IOS. The process is as follows:
(1) Configure the IP address on interfast 0/0 and use the set command to view the configuration. By default, the IP address configured in ROM mode is under interfast 0/0. The configured IP address should be in the same network segment as the TFTP server.
(2) Download using tftpdnld. TFTP ServerMg initially used Cisco’s TFTP, but it timed out halfway through the transfer.
After transferring with 3Cdaemon, the following warning was found:
TFTP flash C0PY: Warning, ChecksSum comparison failed.
Restart the router, but the router cannot start and prompts IOS verification error.
I thought it might be an error when downloading IOS, but after re-downloading c2600-ipbase-mz.123-6c.bin, it still didn’t work, so it didn’t seem to be an IOS problem. Later, I changed the network cable and TFTP software, but it still didn’t work.
4. Solution
Use Xmodem to transfer. To make the transfer faster, we should change the Xmodem transfer speed to ll5200. After the IOS is transferred via Xmodem, restart the router and the router will be bootable.
(1) When uploading IOS using TFTP, if a verification error is displayed, you should consider using Xmodem to upload.
(2) The IP address of the TFTP server must be on the same network segment as the Ethernet port of the router.
(3) When uploading IOS using Xmodem, it is best to use the HyperTerminal that comes with Windows.
(4) TFTP (Trivial File Transfer Protocol) supports transferring files up to 32MB. If the IOS is larger than 32MB, you can consider using third-party TFTP software, such as 3Cdaemon.