Three days after the revelation, cyber attackers are commandeering home routers from 20 vendors along with ISPs.
The security blemish, followed as CVE-2021-20090, was revealed last week by specialists at Tenable. It influences gadgets from 20 unique sellers and ISPs (ADB, Arcadyan, ASMAX, ASUS, Beeline, British Telecom, Buffalo, Deutsche Telekom, HughesNet, KPN, O2, Orange, Skinny, SparkNZ, Telecom [Argentina], TelMex, Telstra, Telus, Verizon and Vodafone), who all use the same firmware by Arcadyan. Overall, this could cause millions of devices to be vulnerable.
In a proof of concept exercise, Tenable discovered that it’s feasible to adjust a device’s configuration to enable Telnet on a vulnerable router; and reach the starting point of the gadget.
The impact
According to Tenable’s advisory on the 3rd of August, “the weakness exists because of a rundown of folders which fall under a ‘bypass list’ for authentication.” For the vast majority of the devices listed, that implies that the weakness can be set off in different ways. A device wherein http://<ip>/index.htm requires confirmation, the attacker could then access index.htm using the following paths:
- http://<ip>/images/..%2findex.htm
- http://<ip>/js/..%2findex.htm
- http://<ip>/css/..%2findex.htm
The warning proceeds to state, “To have the pages load properly, one will need to use proxy match/replace settings to ensure any resources loaded which require authentication also leverage the path traversal.”
The remediation
Users that have these routers are advised to seek updates and mitigation information from their various vendors.
Source: Threat Post