A bug found on millions of routers that bypasses authentication

[UK Sentinel]

Threat actors actively exploit a critical authentication bypass vulnerability impacting home routers with Arcadyan firmware to take them over and deploy Mirai botnet malicious payloads.

The vulnerability tracked as CVE-2021-20090 is a critical path traversal vulnerability (rated 9.9/10) in the web interfaces of routers with Arcadyan firmware that could allow unauthenticated remote attackers to bypass authentication.

Millions of routers likely exposed to attacks
Vulnerable devices include dozens of router models from multiple vendors and ISPs, including Asus, British Telecom, Deutsche Telekom, Orange, O2 (Telefonica), Verizon, Vodafone, Telstra, and Telus.

Based on the number of router models and the long list of vendors impacted by this bug, the total number of devices exposed to attacks likely reaches millions of routers.

The security flaw was discovered by Tenable, which published a security advisory on April 26 and added proof of concept exploit code on Tuesday, August 3.

“This vulnerability in Arcadyan’s firmware has existed for at least 10 years and has therefore found its way through the supply chain into at least 20 models across 17 different vendors, and that is touched on in a whitepaper Tenable has released,” explained Evan Grant, Tenable Staff Research Engineer, on Tuesday.

 

https://www.bleepingcomputer.com/news/security/actively-exploited-bug-bypasses-authentication-on-millions-of-routers/

Share the knowledge

Attachments:

1. 

   Vulnerable-routers-vendors.png
   

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[UK Sentinel]

I have dropped ASUS an email to see how CVE-2021-20090 effects there range of DSL router

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[dodgydrains]

Looks like the dreaded DSL-AC88U is on the list…..

Share the knowledge

You need to login in order to vote

[UK Sentinel]

DSL-AC88U – R.I.P 

Arcadyan make lots of routers for ASUS, but luckily only Firmware created by Arcadyan is at fault.

 

http://en.techinfodepot.shoutwiki.com/wiki/Arcadyan

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[UK Sentinel]

Speaking with ASUS today, in theory Arcadyan are obliged to supply a security hotfix for all their products, as this is classed as a ‘major security issue’,  so will be interesting to see if the DSL-AC88U receives an update also

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[UK Sentinel]

ASUS have released a new firmware for the DSL-AC88U

Version 1.10.08_Build593
2021/08/25

Change Log:

ASUS DSL-AC88U Firmware version v1.10.08_Build593 (This product supports Annex A)
Fixed CVE-2021-20090

—–

Alas, I discussed this with ASUS previously.  this only covers the Security vulnerability that allows Bypass Authentication.

CVE-2021-20090 – https://www.tenable.com/cve/CVE-2021-20090

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[dodgydrains]

This is crazy after how many years????  Better late than never though.

Share the knowledge

You need to login in order to vote

[UK Sentinel]

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[Author]

Posts