Flashpoint discovered two new critical vulnerabilities affecting NetModule Router Software (NRSW), which could allow remote attackers to bypass authentication and access certain administrative functionality.
Flashpoint reached out to NetModule to notify them of these vulnerabilities. The vendor unintentionally removed the vulnerable code in 2018, making newer versions of the software unaffected.
NetModule has chosen not to communicate this information to their customers because they no longer support older versions.
Flashpoint has encouraged NetModule to release a security advisory, or any form of messaging to their clients, stating that older firmware versions contained the discovered issues. At the time of this publishing, NetModule clients using vulnerable versions of NRSW have no knowledge of these critical vulnerabilities affecting their devices.
Flashpoint has confirmed that there are hundreds of vulnerable devices that are internet-accessible, with a strong possibility of many more being deployed across the world.
These vulnerabilities were found during audits of some older releases due to their still widespread use. Normally, we don’t contact vendors about issues they’ve already fixed, but NetModule never posted a security advisory or included information in their release changelogs.
This means that customers running these old releases are to this day, unaware that they contain critical vulnerabilities.Carsten Eiram, VP of Vulnerability Research at Flashpoint
The importance of security advisories
Given the potential for exploitation, Flashpoint researchers had hoped that an alert or advisory from NetModule would convince affected customers to upgrade to fixed versions. However, NetModule has stated that they have no plans of releasing a security advisory—citing an internal policy of only addressing supported releases. Furthermore, they state that they already publish Discontinuation Notices and continuously ask customers to keep devices up-to-date.
NetModule is effectively stating that customers running old, unsupported releases are knowingly accepting associated risks, which is a viewpoint that many vendors tend to share. And while this approach may be commonplace amongst vendors in the industry, the situation provides real-world insights into a commonly-cited security problem—the repeated use, and exploitation of end-of-life software.
Vulnerabilities affecting end-of-life products are favored by threat actors
The use of end-of-life products and software is known to be a poor practice, and the Cybersecurity and Infrastructure Security Agency (CISA) has released several advisories detailing its adverse effects. In their June advisory, CISA stated that Chinese cyber actors favored several vulnerabilities affecting end-of-life software in their attacks—due to their ease of exploitation and overall vendor neglect.
Therefore, data shows that even though security teams know they should update or replace unsupported software, it does not always take place.
Reasons why organizations fail to update older software
There will always be a subset of organizations that will fail to update. For some, it may be difficult to justify an upgrade, especially if the deployed asset is essential in daily operations. So unless the vendor communicates that previous iterations had severe issues, business leaders could interpret an update as more trouble than it’s worth.
On the other hand, some organizations will examine releases, only choosing to update if the newer version provides fixes or improvements to the specific functionalities they rely on. Regardless of the reasons, this is risky behavior and goes against best security practices. However, vendors need to acknowledge that some of their clients may have this mentality.
What vendors can do to help reduce the deployment of end-of-life software
To counter that mindset, vendors can opt to issue security alerts for discontinued products. This practice requires minimal resources and provides a great value to customers, increasing the chance of them upgrading. However, in the NRSW situation, choosing not to release an advisory after becoming aware of critical issues is a disservice.
Get the full intelligence picture with Flashpoint
Organizations relying on Flashpoint’s vulnerability management solutions were warned of these issues at the start of June. Flashpoint recommends that anyone using vulnerable versions of NRSW should immediately upgrade to a fixed version—or ensure that they are no longer Internet accessible.
In addition, organizations should examine their network and identify any deployed end-of-life software. There is a possibility that those assets could contain vulnerabilities that you, or even the vendor are unaware of. To get the full intelligence picture, sign up for a free VulnDB trial and gain visibility into over 295,000 vulnerabilities affecting thousands of vendors and products.