Tenable security researchers discovered a 12-year router vulnerability that could allow an attacker to bypass authentication and enable a root BusyBox shell on telnet.
The path traversal vulnerability CVE-2021-20090, initially detected for Buffalo routers, originates from Arcadyan’s firmware used in various router brands. The vulnerability exists in the supply chain of at least 20 models from at least 17 vendors in 11 countries, including the United States, Japan, Germany, Australia, Mexico and New Zealand.
The vulnerabilities also impact various internet service providers (ISPs) like Vodafone and Verizon and potentially affects millions of devices globally.
The researchers blamed library sharing for the widespread authentication bypass vulnerability exposing millions of users to potential supply chain-related attacks.
Juniper Threat Lab also discovered that threat actors were already exploiting the vulnerability in the wild two days after the disclosure.
Attackers could leverage the router vulnerability to exploit home and corporate networks
The researchers discovered that attackers could exploit vulnerable routers to access other devices at home and corporate networks.
Additionally, they could manipulate the DNS records to deliver malicious content and exploit the configuration injection vulnerability CVE 2021-20091 to gain root access.
CERT says that the router vulnerability could allow an attacker to access pages requiring authentication, allowing unauthenticated users access to sensitive information, including request tokens, and alter router settings.
The vulnerability exploits the bypass_check() function allowing unauthenticated users to access the router’s resources through various routes other than the secured page. The bypass function ignores other strings appearing after the name of the folder listed in the bypass list.
For example, if a router has the index page http://<ip>/index.htm that requires authentication, an unauthenticated user could access the page without authentication through the routes http://<ip>/images/..%2findex.htm, http://<ip>/js/..%2findex.htm, or http://<ip>/css/..%2findex.htm.
The attackers then exploit the “proxy match/replace settings” to ensure that all resources requiring authentication leverage the path traversal vulnerability. These settings also allow an attacker to replace the httoken CSRF token and the Referrer header.
Many affected devices are unknown and unlikely to receive patches
Tenable researchers tested several devices using tools like BinaryEdge, Censys, and Shodan to test vulnerable devices leveraging sites like fccid.io and wi-fi.org.
However, the researchers could not test many devices directly offered by ISPs and not available for sale.
Similarly, many devices were discontinued and thus unlikely to receive any updates from manufacturers. At reporting, Tenable identified 10,000 devices exposed on the internet.
Tenable is working with CERT Coordination Center to identify more devices affected by Arcadyan firmware router vulnerability and notify vendors.
Evan Grant, the researcher credited for the discovery, also advised other experts who obtain the affected devices to probe the gadgets for post-authentication vulnerabilities and report them.
“This [vulnerability] appears to be shared by almost every Arcadyan manufactured router/modem we could find, including devices which were originally sold as far back as 2008,” Grant said.
Tenable also published the list of vulnerable devices, including the firmware version affected by the path traversal vulnerability.
The researchers noted that the Arcadyan firmware router vulnerability posed serious supply chain risks because of the code problems. They listed the lack of transparency around the third party’s security practices and complex relationships as the greatest challenges to securing the devices.
For example, they noted that the number of Arcadyan customers was still unknown, and their relationship was opaque.
“The vulnerabilities discovered in the Arcadyan-based routers and modems serve as a small case study in how flaws affecting a shared library can become increasingly difficult to report, track and fix due to the number of vendors involved,” the researchers said.
They noted that each increase in vendors down the supply chain caused an exponential rise in the number of potential victims affected by the router vulnerability. Having many vulnerable users reduces the possibility of implementing security mitigations, thus increasing the likelihood of successful supply chain attacks.
“Though the chains being considered in this supply chain issue are luckily quite short, the number of links which originate from Arcadyan are not known,” they noted.
The researchers also distinguished the Arcadyan router vulnerability with the SolarWinds supply chain hack deliberately introduced. However, they compared it to other long-term flaws like Ripple20, AMNESIA:33, NAME: WRECK, and NUMBER: JACK.
Tenable wondered if the affected ISP performed due diligence before distributing vulnerable routers. They implied that the vendor could have covered up the router vulnerability by secretly patching it without reporting it just a while ago.