A flaw in SNMP on an older version of Cisco’s IOS has enabled the creation of malware significant enough to prompt government warning: US, UK warn of govt hackers using custom malware on Cisco routers. Sticking with the old firmware clearly leaves customers vulnerable to widely circulated malware. Cisco customers clearly need to upgrade, but there has always been tension in that regard, especially for smaller organizations.
Cisco’s support contracts are expensive, especially for smaller organizations, and so is new hardware. Although obtaining upgraded firmware from non-Cisco sources may come with some malicious surprises, not upgrading clearly has its own risks. This puts Cisco customers without up-to-date support contracts for affected devices in the position to now have to take a close look at their budgets.
Networking vendors have come under fire several times over the years for gating security updates behind expensive support contracts, and this incident is likely to lead to a renewal of the implications of those business decisions.