Genesis of ‘forever-day’ vulnerability in Cisco business-grade router line uncovered

Flaws in wireless chip firmware tech from Broadcom went unnoticed and led to inherited security problems in networking kit, researchers discover

UPDATED The rediscovery of vulnerabilities in wireless chip firmware technology from Broadcom has revealed how inherited security flaws can get baked into networking technology.

Security researchers at IoT Inspector discovered that although Broadcom (silently) patched vulnerabilities in its software development kit (SDK) for its chipsets as early as 2011, they still affected devices released years later by major vendors such as Cisco, DD-WRT, and Linksys (a brand owned by Cisco until 2013, when the line was bought by Belkin).

“As the affected Cisco devices are end of life, those issues will remain forever-days,” said Florian Lukavsky, managing director of IoT Inspector.

The Germany-based security consultancy uncovered flaws in the Universal Plug and Play (UPnP) implementation of Broadcom’s SDK while developing detection rules for Broadcom binaries, as revealed in a technical blog post today (October 5).

Read more of the latest hacking news from around the world

Subsequent detective work led to the discovery of CVE-2021-34730, an unauthenticated remote code execution (RCE) flaw affecting Cisco RV110, RV130, and RV215, a range of routers aimed at meeting the needs of smaller businesses.

Damage downstream

Flaws uncovered by IoT Inspector match those addressed in a joint security advisory by DD-WRT and SSD-Disclosure.

Security researchers used GitHub’s powerful search engine to identify repositories containing Broadcom’s flawed UPnP code.

The inherited flaws in networking devices shows that supply chain issues extend beyond software-only ecosystems and can also impact embedded wireless chips in networking devices.

RECOMMENDED OnionShare: Secure communications platform patches data exposure bug

“This further demonstrates the crucial need for supply chain security validation, such as secure development lifecycles and source code reviews on the supplier’s end, and third-party source code review on the device vendor’s end,” IoT Inspector said.

In response to questions from The Daily Swig. IoT Inspector's Lukavsky explained its research methodology, adding that the same approach might easily be applied in other contexts.

"In the process of improving analysis capabilities of IoT Inspector, we investigate code that is reused often across different firmware versions, products and vendors," Lukavsky said. "With this approach, we have identified a few interesting SDKs and cloud platforms in the past, which we then analyzed more closely."

The security firm’s latest report follows earlier research that revealed how high-severity security flaws in Realtek chipsets impacted more than 65 IoT device manufacturers.

This story was updated with comment from IoT Inspector's Florian Lukavsky

RELATED Realtek SDK vulnerabilities impact dozens of downstream IoT vendors