Embedded insecurity: Broadcom SDK vulnerabilities create lingering risk for router manufacturers
Genesis of ‘forever-day’ vulnerability in Cisco business-grade router line uncovered
The rediscovery of vulnerabilities in wireless chip firmware technology from Broadcom has revealed how inherited security flaws can get baked into networking technology.
Security researchers at IoT Inspector discovered that although Broadcom (silently) patched vulnerabilities in its software development kit (SDK) for its chipsets as early as 2011, they still affected devices released years later by major vendors such as Cisco, DD-WRT, and Linksys (a brand owned by Cisco until 2013, when the line was bought by Belkin).
“As the affected Cisco devices are end of life, those issues will remain forever-days,” Florian Lukavsky, managing director of IoT Inspector.
The Germany-based security consultancy uncovered flaws in the Universal Plug and Play (UPnP) implementation of Broadcom’s SDK while developing detection rules for Broadcom binaries, as revealed in a technical blog post today (October 5).
Subsequent detective work led to the discovery of CVE-2021-34730, an unauthenticated remote code execution (RCE) flaw affecting Cisco RV110, RV130, and RV215, a range of routers aimed at meeting the needs of smaller businesses.
Security researchers used GitHub’s powerful search engine to identify repositories containing Broadcom’s flawed UPnP code.
The inherited flaws in networking devices shows that supply chain issues extend beyond software-only ecosystems and can also impact embedded wireless chips in networking devices.
“This further demonstrates the crucial need for supply chain security validation, such as secure development lifecycles and source code reviews on the supplier’s end, and third-party source code review on the device vendor’s end,” IoT Inspector said.
The security firm’s latest report follows earlier research that revealed how high-severity security flaws in Realtek chipsets impacted more than 65 IoT device manufacturers.