News RV340/345 Security Vulnerability

[jasonreg]

Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Arbitrary File Upload Vulnerability

I am having a bit of difficulty in deciding how worried I should be, but I am concerned with the "there are no work-arounds" and "we are not going to fix it statements".

One question I have for the group is what (if any?) impact would I see by disabling the RESTCONF option as described in the article?

(thx to GKToronto for posting this on the Cisco SB Forum)

 

[Tech9]

If you don't want to disturb your working setup and have security concerns - place another firewall in front of your RV34x router.

 

[Miner]

That RESTCONF setting has a checkbox for LAN and WAN. Surprisingly the Cisco advisory does not even mention this.

That being so, I'm going to proceed with 'keeping the WAN checkmark set to off' is good enough.

The Cisco Admin Guide for RESTCONF says nothing useful, e.g., "By default, it is enabled on LAN interface. It can also be enabled on both LAN and WAN interfaces."

 

[jasonreg]

This is how (RESTCONF unchecked) I have been running since this advisory came out. I have not seen any issues whatsoever. That said, I will be replacing the router shortly I think.

 

[Christos]

If you don't want to disturb your working setup and have security concerns - place another firewall in front of your RV34x router.

Which firewall should this be?
A consumer firewall that would block the hole for a couple of years or an open source firewall that would get updates for longer, but is harder to setup?

 

[coxhaus]

We had a good run with the Cisco RV340 routers. Once Cisco drops support they will not fix it anymore.

I am using now a Dell small form factor PC with low watt CPU and pfsense. It works good and so far, has better support than in the old days.

 

[Tech9]

Which firewall should this be?

I still have one Cisco RV in use behind 2x ISP gateways, Dual-WAN in Auto and 4x Cisco APs. Works in my summer house for years, no one had any interest to hack the setup and nothing to hack there anyway.

 

[sfx2000]

We had a good run with the Cisco RV340 routers. Once Cisco drops support they will not fix it anymore.

Yes, and this is a bit of a problem...

I know of specific installation where the owner would like to replace it, but cannot as he doesn't own it - it's provided by his credit card service provider, and it is part of a PCI/EMV compliant network chain of trust.

It's unfortunate that Cisco stepped away from that market segment - the replacement in their product line card is much more expensive and not much more capable than the RV line was.

 

[coxhaus]

Yes, and this is a bit of a problem...

I know of specific installation where the owner would like to replace it, but cannot as he doesn't own it - it's provided by his credit card service provider, and it is part of a PCI/EMV compliant network chain of trust.

It's unfortunate that Cisco stepped away from that market segment - the replacement in their product line card is much more expensive and not much more capable than the RV line was.

I think Cisco came to the conclusion that router front doors require a lot of maintenance which translated to costs for them to maintain an internet front door as hacking is a very big problem nowadays.