Cisco announced last week the discovery of multiple critical vulnerabilities in their VPN routers. This was the latest vulnerability announced in a long line of VPN security risks that have plagued the cybersecurity industry over the past year. The issues primarily affected Cisco’s VPN products for small businesses. Cisco issued a security advisory highlighting the affected products and announced the release of software updates to address these flaws.
Fortunately, in this instance, there’s no evidence these vulnerabilities were exploited by any malicious actors, but this episode serves as an important reminder of the serious gaps in security for some VPN routers. This is the second episode affecting Cisco VPNs in the past few months, and it’s clear many cybersecurity professionals are becoming increasingly concerned about how their organizations use VPNs.
What Happened With Cisco VPN Routers?
The vulnerabilities were confined to Cisco’s RV160 and RV260 range of small business routers, affecting all five models in these product lines. Other models in Cisco’s line up of small business routers were confirmed to be unaffected. The vulnerabilities were located in the web-based management interface of the routers and allowed unauthenticated attackers to execute arbitrary code as a root user. Unchecked, this could have had severe security implications.
The affected routers were unable to properly validate HTTP requests. This allowed remote attackers to exploit the system by sending a crafted HTTP request to the management interface of the router. Had any bad actors successfully exploited this vulnerability, they would have had full access to read, change and delete data from affected devices. The vulnerabilities were so severe that they were assigned a base CVSS score of 9.8 out of 10, putting them firmly in the “critical” category.
In this latest instance, small and medium sized businesses were the most vulnerable to these attacks. Smaller government entities were also classed as high risk, while larger enterprises and government agencies were assessed as medium risk. Cisco promotes these routers as a way for customers to ensure remote office workers can securely connect to business networks using a VPN. The routers sell for as much as $250 each.
Read the Case Study: Securing Mobile Comms Kits
Attila’s GoSilent provides a low cost, high bandwidth solution to protect data, voice and video communications in comms kits.
With Cisco announcing patches to all affected products, it looks like businesses can breathe a sigh of relief for now. But this is just the latest instance of unsafe VPNs resulting in serious security risks to enterprises. With the rapid growth of remote work over the past year, organizations are more vulnerable than ever as more and more workers use VPNs.
Installing remote VPNs at scale instantly presents a challenge. Many hardware VPN solutions are difficult for IT departments to install, maintain and monitor, and they’re just as hard for employees to use. Workers often become frustrated with their VPN due to connection issues and bugs and simply neglect to use it. That opens organizations up to all kinds of vulnerabilities.
Improving VPN Security
In many instances, hardware-based VPNs are ideal for protecting businesses from these kinds of vulnerabilities. But this latest Cisco incident highlights the flaw with a lot of hardware-based VPNs – they are still reliant on a software component to work and that presents vulnerabilities.
One hardware-based VPN that isn’t reliant on software is Attila’s GoSilent Cube. The GoSilent Cube acts as a firewall between the device and the network, doesn’t require any software and is easy to set up and maintain. It’s encrypted to NSA standards so you can be sure your business is adequately prevented against VPN threats.
Visit our Hardware VPN Resource Center to learn more.