Decade-long vulnerability in multiple routers could allow network compromise

Devices using Arcadyan software are at risk

A 12-year-old authentication bypass vulnerability could allow attackers to compromise networks and devices in at least 20 router models

A 12-year-old authentication bypass vulnerability that could allow attackers to compromise networks and devices has been discovered in at least 20 router models, potentially affecting millions of users.

Discovered by Evan Grant of Tenable, the critical path traversal flaw is tracked as CVE-2021–20090, with a CVSS of 9.8, and is exploitable by unauthenticated, remote attackers.

Grant found the issue, which has been present for at least 12 years, in Buffalo routers, specifically the Arcadyan-based web interface software.

Bug hunting

In a blog post, the researcher explained that one of the first things he looks at while analyzing any web application or interface is how it handles authentication.

Grant found that the feature was only checking as many bytes as are in strings.

Grant wrote: “This means that if a user is trying to reach http://router/images/someimage.png, the comparison will match since is in the bypass list, and the URL we are trying to reach begins with .

“The function doesn’t care about strings which come after, such as ‘someimage.png’.

“So what if we try to reach ? For example, let’s try . The URL normally contains all of the nice LAN/WAN info when we first login to the device, but returns any unauthenticated users to the login screen.”

Read more of the latest security vulnerability news

Grant was able to exploit this vulnerability to bypass authentication, allowing an unauthenticated user to access pages they shouldn’t be able to.

An attacker could also gain access to , which would enable them to make requests for more sensitive information and could grant the ability to make configuration changes.

The issue has since been patched in Buffalo WSR-2533DHPL2 devices, prior to and including firmware version 1.02, and WSR-2533DHP3 prior to and including version 1.24.

More vulnerable devices

After confirming the vulnerability was present in the Buffalo router, Grant said that he discovered it also affected at least 20 other models.

“This [vulnerability] appears to be shared by almost every Arcadyan-manufactured router/modem we could find, including devices which were originally sold as far back as 2008,” wrote Grant.

Grant said this latest discovery sparks concern around the risk of supply chain attacks, an ever-increasing and serious threat to organizations and technology users.

MUST READ Four-fold increase in software supply chain attacks predicted in 2021 – report

“There is a much larger conversation to be had about how this vulnerability in Arcadyan’s firmware has existed for at least 10 years and has therefore found its way through the supply chain into at least 20 models across 17 different vendors,” Grant wrote.

The researcher also noted that this latest disclosure is “an important lesson in how one should approach research on consumer electronics”.

He added: “The vendor selling you the device is not necessarily the one who manufactured it, and if you find bugs in a consumer router’s firmware, they could potentially affect many more vendors and devices than just the one you are researching.”

RELATED Aaron Portnoy – ‘There’s no silver bullet for ransomware or supply chain attacks’


Source: The Daily Swig

Leave a Reply