RV042G, services stop working / crash due (probably) Log4j attacks?

tamsysmm · ‎02-03-2022

Hi,

I have about 40 RV042Gs in use. About 2 weeks a go some routers at customers stopped working. It seems that basic NAT works but services (VPN & DHCP) stop working. Powering off router clears problem. This seems to occur in every few days and usually on connections which have good bandwidth (=>100M)

I have seen this so far on newest FW (v4.2.3.14) so that is not helping in this case. (Many routers are on .10 version still)

Affected routers have some kind of port forwarding enIabled and so they are "visible" on the internet. For various reasons I can not disable all forwarding and also I can not make an access list on these forwarded ports.

My current theory is that firewall simply runs out of resources and/or some kind of buffer overflow which crashes OS on RV042G (RV042 also).

I was wondering if I should disable DDOS protection, or SPI. Maybe DDOS protection in itself is using so much memory & CPU that at some point OS crashes.

I had already begun project replacing with new firewalls but as we all know, if it works do not touch it. So I was in no hurry. Problem is, it is not working anymore

If anybody has some insight on this matter, I would be very glad

BR,

Markku

tamsysmm · ‎02-07-2022

Hi,

Replying to my own question.

I noticed that port 443 is open even if remote login is disabled. Firewall has HTTPS protocol enabled by default. This is needed for QuickVPN and of course encrypted webconsole use. I have now disabled this (as I use IPSEC VPN, Shrew VPN) and now 443 is really closed.

In a few days I'll see if this was the solution, fingers crossed...

Markku

tamsysmm · ‎02-11-2022

Monologue continues

So far it seems that disabling HTTPS does not help. Now resorting to disabling DDS & SPI and minimizing logging events. If that does not help I need to resort to mechanical timers for power off daily until I can install new firewalls...

tamsysmm · ‎02-16-2022

Unfortunately nothing seems to help.

Now that connections have been gettin faster it seems that with current firmware RV042Gs can not handle incoming attempts.

After 5 days one RV042G stopped working (VPN), this one has DDOS, SPI and HTTPS disabled, ping disabled. Only VPN is used.

This device was working very nicely before we upgarded to 100/100M fibre, previously it had 10/10M SHDSL.

I believe this problem would be easy to solve via firmware update, support is promised till 2025, are you listening Cisco

Anyhow I must now accelerate replacing firewalls. This has been a good run with Linksys RV042 to Cisco RV042G but now moving on...

tamsysmm · ‎03-09-2022

Just to repeat myself,

As sw support for this model has ended in 01/2021 it is now impossible use these *unless* you have no visible ports enabled (or access list based ports). As soon as bots find a visible port scanning/attacks starts. And if you have fast enough pipe (100/100M seems to be nough) FW services crash at some point. NAT remains working.

I will make one final test on our own FW. I will disable *all* logging, DDOS & SPI & HTTPS.

I bet it would not be big problem to fix this on SW side but as support has ended it is not gonna happen

rcranford · ‎03-09-2022

Getting exact same symptoms for past 4 months. No solution yet found.

tamsysmm · ‎04-10-2022

FYI,

It seems that I can get about 5-20 days of uptime (on various routers) if one disables all logging and SPI, HTTPS, DDOS protection.

So rebooting router once in 3 days could get you a "working" setup.

Andy B · ‎10-25-2022

Same Problem Here, on 2 different models of RV016, and on RV042G, issues on all 3 models some work for weeks and all over sudden Crash, router web GUI crashed, ( Sometimes says BAD GATEWAY ) internet works for a while. and than No internet.
Logs don't show anything. Logs on a device with open port does show thousands or illegal attempts to log in to server, IP blocked and than again login from different IP dresses.

Firmware newest FW (v4.2.3.14)