Millions of routers are exposed to a security flaw that existed for a decade in home routers with Arcadyan firmware. This actively exploited flaw tracked under CVE identifier CVE-2021-20090 has found its way into routers provided by at least 20 models across 17 different vendors and 11 countries. Devices from multiple vendors and ISPs, including Asus, British Telecom, Deutsche Telekom, Orange, O2 (Telefonica), Verizon, Vodafone, Telstra, and Telus, are there in that list. The discovered 13 Internet Service Providers (ISPs) are used in Argentina, the U.S., Australia, Canada, Germany, Japan, New Zealand, Mexico, Netherlands, Russia, and Spain.
The critical path traversal vulnerability was discovered by Tenable. On exploitation, it allows attackers to bypass authentication to the web interface of routers and could be leveraged to access other devices on a home or corporate network. It is also observed that the vulnerability is wildly exploited by threat actors from Wuhan, Hubei province, China. These attackers are using malicious tools to deploy a Mirai botnet variant.
Vulnerability Details (CVE-2021-20090)
The path traversal vulnerability exists due to improper access permission set for a list of folders and files. It will allow unauthenticated users to access sensitive information. The valid request tokens obtained can be used to make requests to change the router configuration.
Arcadyan firmware used in routers from multiple vendors is found to be vulnerable. The list of affected devices from different vendors are attached below:
Attached below is a screenshot of an HTTP request and response on a vulnerable router allowing access to a page that should be restricted to authenticated users:
Vulnerability Details (CVE-2021-20091)
The remote code execution vulnerability exists due to improper validation of user-supplied input by the web interface of the Buffalo router. A crafted parameter can be injected from ‘apply_abstract.cgi’ to the device’s global config file to insert a new line into the configuration file, enabling telnetd.
Vulnerability Details (CVE-2021-20092)
The information disclosure vulnerability exists due to improper access control. An unauthorized actor can get a valid token by navigating to the ‘loginerror.html’ page. The ‘valid httoken’ obtained can be used in further requests to obtain sensitive information like the ‘admin’ password.
Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24
We strongly recommend updating the router to the latest available Arcadyan firmware version.