Cisco Talos Discusses Flaws in SOHO Routers Post-VPNFilter

Written by

Cisco Talos has published a list of numerous vulnerabilities in small and home office (SOHO) and industrial wireless routers.

In their pursuit of bolstering security and safeguarding users against potential threats, Talos has collaborated closely with router vendors over the last five years, leading to the reporting and mitigation of 141 advisories, encompassing 289 Common Vulnerabilities and Exposures (CVEs) affecting multiple router models.

For context, in 2018, Talos brought to light the VPNFilter malware, which posed a significant threat to SOHO network equipment, capable of compromising or wiping targeted devices entirely. 

Read more on these events: Destructive VPNFilter Malware Has Infected 500K Devices

Subsequently, numerous reports of state-sponsored campaigns and criminal actors have targeted SOHO routers.

To address this growing concern, the Talos Vulnerability Discovery and Research Team made SOHO and industrial routers a top priority following the VPNFilter incident.

In the advisory published on Wednesday, the security firm said the routers’ widespread adoption and user-friendly features still make them valuable targets for adversaries, with vulnerabilities providing entry points to networks.

Despite improvements in the security posture of these routers over the years, certain critical security principles remain crucial for manufacturers.

These include disabling non-essential features and services by default, deactivating WAN-side management by default, implementing TLS/SSL encryption, avoiding reliance on user input, keeping third-party code up-to-date and auditing integrated code.

Each of the router vulnerabilities that Talos discovered over the last five years can be classified within these categories, emphasizing the importance of code quality and utilization of safe functions during development. 

Also, while memory-safe languages like Rust and Go are ideal, vendors can employ compiler-based and OS-based mitigations like non-executable stacks and address space layout randomization (ASLR) to further reduce risks.

Defining clear user interaction boundaries is another significant step to prevent malicious users from executing arbitrary commands. By employing a well-defined API boundary, it becomes easier to validate user requests and input, adding an additional layer of access control.

Implementing firewall rules to block traffic for services that cannot be disabled also improves protection.

Additionally, users should research devices before acquisition to ensure secure defaults, such as encrypted protocols for remote access and administration.

All research has been publicly disclosed according to Cisco’s vulnerability disclosure policy, leading to vulnerability remediations that enhance the security posture of users relying on these devices.

What’s hot on Infosecurity Magazine?