Researchers identified a critical authentication bypass vulnerability (CVE-2021-20090) affecting multiple routers and internet-of-things (IoT) devices. Analysis report says that the vulnerability affects devices from 20 different vendors and ISPs. Let’s explore the list of routers affected by critical authentication bypass vulnerability and countermeasures to mitigate the vulnerability.
Table of Contents
Routers Affected By Critical Authentication Bypass Vulnerability:
The authentication bypass vulnerability tracked as CVE-2021-20090 affecting devices of multiple vendors and ISPs. The flaw affects the routers which use the same firmware from Arcadyan. Let’s see the list of routers affected by critical authentication bypass vulnerability.
- British Telecom
- Deutsche Telekom
- Telecom [Argentina]
This is a path traversal vulnerability that leads to an authentication bypass in the web interfaces of routers with Arcadyan firmware. This vulnerability allows the attacker to circumvent authentication and gain access to sensitive information like valid request tokens, which can be used to tweak the device settings by constructing the request. Considering this, the CVSS score is kept 9.9 for this vulnerability.
The PoC published by Tenable shows, how to modify the configuration of a device to enable telnet on a vulnerable router and gain root-level shell access to the device.
“The vulnerability exists due to a list of folders which fall under a ‘bypass list’ for authentication,” According to Tenable, “The vulnerability can be triggered by multiple paths. For a device in which /index.htm” rel=”noreferrer noopener”>http://<ip>/index.htm requires authentication, an attacker could access index.htm using the following paths:”
- /images/..%2findex.htm” rel=”noreferrer noopener”>http://<ip>/images/..%2findex.htm
- /js/..%2findex.htm” rel=”noreferrer noopener”>http://<ip>/js/..%2findex.htm
- /css/..%2findex.htm” rel=”noreferrer noopener”>http://<ip>/css/..%2findex.htm
After a couple of days from publish, Juniper Threat Labs identified attack patterns that attempt to exploit this vulnerability in the wild. Juniper reported that the attacks originated from an IP address (27.22.80[.]19) located in Wuhan, Hubei province, China. In the same post, Juniper also wrote, The attacker abused the vulnerability to deploy a Mirai variant on the affected routers using scripts reported by Palo Alto Networks in March 2021.
In these new attacks, the actor does not just try exploiting the CVE-2021-20090. There are few other vulnerabilities too:
- CVE-2020-29557 (DLink routers)
- CVE-2021-1497 and CVE-2021-1498 (Cisco HyperFlex)
- CVE-2021-31755 (Tenda AC11)
- CVE-2021-22502 (MicroFocus OBR)
- CVE-2021-22506 (MicroFocus AM)
Countermeasures To Mitigate The Critical Authentication Bypass Vulnerability:
The most effective countermeasure to mitigate the attack is firmware upgradation or apply the patch if your vendor rolls out. We recommend following these tips that stop you from being the victim of many other attacks.
- Create a strong and unique password
- Enable network encryption
- Filter the MAC addresses
- Reducing the wireless signal range
- Upgrade the router’s firmware
- Make use of guest network
Please be aware of routers affected by critical authentication bypass vulnerability (CVE-2021-20090) and take the action against the vulnerability if you have the router listed in the post.
Thanks for reading this threat post. Please share this post and help to create awareness.