Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label EOL. Show all posts

D-Link Urges Replacement of End-of-Life VPN Routers Amid Critical Security Vulnerability

 

D-Link has issued a strong warning to its customers, advising them to replace certain end-of-life (EoL) VPN router models immediately. This follows the discovery of a critical unauthenticated remote code execution (RCE) vulnerability that will not be addressed with security patches for the affected devices. The vulnerability was reported to D-Link by security researcher “delsploit,” although technical details have been withheld to prevent widespread exploitation. The flaw impacts all hardware and firmware versions of the DSR-150, DSR-150N, DSR-250, and DSR-250N models, particularly firmware versions 3.13 to 3.17B901C. 

These routers, which have been popular among home offices and small businesses worldwide, officially reached their end-of-service (EoS) status on May 1, 2024. D-Link’s advisory makes it clear that no further security updates will be issued for these devices. Customers are strongly encouraged to replace the affected models to avoid potential risks. For users who continue using these devices despite the warnings, D-Link suggests downloading the latest available firmware from their legacy website. 

However, it is important to note that even the most up-to-date firmware will not protect the routers from the RCE vulnerability. The company also cautions against using third-party open-firmware solutions, as these are unsupported and will void any product warranties. D-Link’s policy not to provide security fixes for EoL devices reflects a broader strategy within the networking hardware industry. The company cites factors such as evolving technologies, market demands, and product lifecycle maturity as reasons for discontinuing support for older models. The issue with D-Link routers is not an isolated case. 

Earlier this month, researcher “Netsecfish” revealed CVE-2024-10914, a command injection flaw affecting thousands of EoL D-Link NAS devices. Similarly, three critical vulnerabilities were recently disclosed in the D-Link DSL6740C modem. In both instances, the company chose not to release updates despite evidence of active exploitation attempts. The growing trend of security risks in EoL networking hardware highlights the importance of timely device replacement. 

As D-Link warns, continued use of unsupported routers not only puts connected devices at risk but may also leave sensitive data vulnerable to exploitation. By replacing outdated equipment with modern, supported alternatives, users can ensure stronger protection against emerging cybersecurity threats.

Google: Two Major Pixel Vulnerabilities Patched

 

Google has published updates for Android 10, 11, 12, and 12L which include Pixel security patches. The Android Security Bulletin for May offers information about security flaws could affect Android devices. 
 
The Pixel Update Bulletin offers information about security flaws and functional enhancements for concerned Pixel devices. Google Pixel phones are "pure Android" devices. The two bulletins identify significant vulnerabilities as follows : 

  • CVE-2022-20120—Bootloader [Critical] The bootloader has a remote code execution (RCE) flaw. The bootloader on Android is a software program that loads the operating system every time users turn on the phone. It can only load software which has been signed by Google by default. If users unlock the bootloader, though, it will run whatever software you specify. The precise problem hasn't been revealed yet, but based on the scale of access required to exploit it, it may be very serious.
  • CVE-2022-20117— Titan-M[Critical] Titan M has an information disclosure (ID) flaw. Titan M is a security management chip designed specifically for Pixel phones to protect the most sensitive data and os version on the device. Titan M aids the bootloader in ensuring users running the correct Android version. . However, being able to steal data from the portion which is supposed to protect the most sensitive information does not look well. 
  • CVE-2021-35090: Qualcomm[Moderate] Qualcomm chips are the most extensively used in Android smartphones. 9.3 out of 10 for CVSS. Qualcomm has recognized this race condition in Kernel as a Time-of-check Time-of-use (TOC TOU). A potential hypervisor memory corruption owing to a TOC TOU race scenario when changing address mappings was also mentioned. A TOC TOU occurs whenever a resource is tested for a specific value, such as whether or not a file exists, and then the value alters before the asset is utilized, invalidating the check's results. When multiple threads have access to shared data and attempt to update it at the same time, a race condition occurs.
  • CVE-2022-20119 Display/Graphics[High] 
  • CVE-2022-20121 USCCDMService[High] 

The most serious of these issues, according to Google, is a highly secure vulnerability in the Framework component which might lead to local elevation of privilege (EoP) with user execution rights required, although the company does not specify which of the four candidates it is. 

All problems in these bulletins are addressed in security patch versions 2022-05-05 or later for Google and other Android devices. Check and update one Android version to discover how to check a device's security patch level. Experts advise all Android users to update to the most recent version. 

This week, the Pixel 3a and Pixel 3a XL series will acquire its final security updates. When it comes to support, they then reach the End-of-Life (EOL)

Cisco Shows no Intentions on Patching EOL Vulnerabilities

 

Cisco, an American Multinational Conglomerate stated this week it does not plan on fixing vulnerabilities in end-of-life (EOL) Cisco routers, more than 70 vulnerabilities were spotted in CISCO’s Small Business RV110W, RV130, RV130W, and routers. Despite these vulnerabilities, the company has no intentions to fix these patches.

Cisco stated that these devices have reached end-of-life (EOL) hence there is no point in fixing the Cisco routers. The deadline regarding software maintenance releases and bug fixes was December 1, 2020. Cisco has released software updates to fix these vulnerabilities and said they are not mindful of threat actor exploits targeting the vulnerabilities.

CVE-2021-1144 recognized as a high severity bug (CVSS score of 8.8) in Connected Mobile Experiences (CMX) is the most valuable flaw which can be exploited by threat actors to alter the passwords for any user account on the system which includes administrator accounts as well. Threat actors can exploit the vulnerability by sending an altered HTTP request to a susceptible device.

CVE-2021-1237 (CVSS score of 7.8) is tracked as another high severity flow, it was detected in the AnyConnect Secure Mobility Client for Windows, influencing the Web Security Agent Components and the endpoint solution’s Network Access Manager. This vulnerability could be exploited by an authenticated and local threat actor for Dynamic Link Library (DLL) installation.

Cisco stated that “an attacker could exploit this vulnerability by inserting a configuration file in a specific path in the system which, in turn, causes a malicious DLL file to be loaded when the application starts. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges”.

Cisco issued 18 other recommendations explaining medium severity bugs in Proximity Desktop for Windows, ASR 5000 routers, Enterprise NFV Infrastructure Software (NFVIS), Webex, Finesse, Firepower Management Center (FMC), Video Surveillance 8000 IP Cameras, Unified Communications products, DNA Center, AnyConnect Secure Mobility Client, and CMX API authorizations.