Cisco, VMware and other tech giants tackle end-of-life product issues
Cisco, VMware and other tech giants tackle end-of-life product issues
The group of industry leaders have launched the Network Resilience Coalition to address the persistent lack of hardware & software resilience.
Published on 8th August 2023
Eleven tech industry leaders across networking, security and service providers launched the Network Resilience Coalition to address the persistent lack of network hardware and software resilience. The alliance is tackling the issue by encouraging timely updates and patching and better communication.
The founding members of this coalition include AT&T, Broadcom, BT Group, Cisco, Fortinet, Intel, Juniper Networks, Lumen Technologies, Palo Alto Networks, Verizon and VMware.
“We’ve seen an increase in government notifications of nation-state attacks on end-of-life and end-of-warranty gear, and software and communications platforms. The targeted technologies include routers, virtualization software and firewalls. These products have all had patches available, but for various reasons, these patches were not applied and were being exploited by adversary governments,” Ari M. Schwartz, coordinator at the Center for Cybersecurity Policy and Law, said during the launch event.
“If we’re going to address the full problem, we all need to work together. And that’s the goal of the Network Resilience Coalition — to work together on recommending solutions that need to be implemented by the software and hardware vendors, the communication platforms and policymakers.”
Eric Goldstein, executive assistant director for the Cybersecurity and Infrastructure Security Agency (CISA), echoed that the effort should be a collaboration between technology vendors and governments worldwide.
“Doing that in a way that minimizes the burden on many of the end-user organizations, particularly those who, in CISA, we called ‘target-rich, resource-poor,’” he said. Goldstein went on to say that those end user organizations carried the burden of figuring out which products were at end of service, then how to fix them without necessarily knowing who to call or having the resources to replace or upgrade those devices. “The adversaries exploit that burden to their advantage,” he said.
By the end of this year, the coalition intends to publish a report that addresses issues related to end-of-life and out-of-warranty equipment in concert on communication platforms and find other similar areas to focus on for the future.
For the report, coalition members will work together to generate actionable recommendations for improving network security that target technology providers, technology users and those responsible for creating or regulating security policy.
Network Resilience Coalition on patching problems
In the network security realm, one of the most pervasive issues is the failure to apply patches in a timely manner.
Brad Arkin, SVP, chief security and trust officer at Cisco, noted that there is a type of story that happens all the time where the forensics show that a malicious adversary was able to take control of a forgotten or neglected network device, and the way they did it was by exploiting a vulnerability for which a patch was available, usually years before the attack.
“There’s this sense of missed opportunity,” Arkin said. And “it’s an asymmetric opportunity where a little bit of patching could have prevented a much bigger incident-response process later on.”
He cited an example where Cisco issued a public patch in 2017 and updated the security advisory in early 2018 to show the exploitation of this vulnerability. However, five years later, in 2023, U.S. and U.K. government agencies had to issue a call to action, indicating that many organizations had not taken the necessary precautions.
In another recent example of the ongoing patching challenge, a Bishop Fox study found a critical vulnerability (CVE-2023-27997) that Fortinet initially identified and issued a patch for in June this year, but almost a month later, nearly 70% of the affected firewall devices still haven’t been patched.
“Our devices are all over the place and there might be one that was sold through a partner in some corner of the world and the message is just never going to get to them. I’m interested in what [we can] do to make it more universally understood that those devices can be patched and that by not patching them, you’re exposing yourself to the types of attacks that are going on,” said Derrick Scholl, sr. director, security incident response team, at Juniper Networks.
Scholl also raised the issue of regulation for product providers. Big players like Cisco and Juniper are active in patching and transparency about their end-of-life and end-of-service policies, but he proposed a question: “What about the medium and small players that have no idea what the right thing is, and how can we make the right thing easily understandable to them?”
He noted that there is now an opportunity presented by the coalition to address all these issues. “The unique opportunity we have here is the combination of the vendors making the products, the customers using them, the governments trying to get folks to do the right thing, all in one location.”
