search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Arcadyan-based routers and modems vulnerable to authentication bypass

Vulnerability Note VU#914124

Original Release Date: 2021-07-20 | Last Revised: 2021-07-20

Overview

A path traversal vulnerability exists in numerous routers manufactured by multiple vendors using Arcadyan based software. This vulnerability allows an unauthenticated user access to sensitive information and allows for the alteration of the router configuration.

Description

The vulnerability, identified as CVE-2021-20090, is a path traversal vulnerability. An unauthenticated attacker is able to leverage this vulnerability to access resources that would normally be protected. The researcher initially thought it was limited to one router manufacturer and published their findings, but then discovered that the issue existed in the Arcadyan based software that was being used in routers from multiple vendors.

Impact

Successful exploitation of this vulnerability could allow an attacker to access pages that would otherwise require authentication. An unauthenticated attacker could gain access to sensitive information, including valid request tokens, which could be used to make requests to alter router settings.

Solution

The CERT/CC recommends updating your router to the latest available firmware version. It is also recommended to disable the remote (WAN-side) administration services on any SoHo router and also disable the web interface on the WAN.

Acknowledgements

Thanks to the reporter Evan Grant from Tenable.

This document was written by Timur Snoke.

Vendor Information

914124
 

Arcadyan Unknown

Notified:  2021-07-06 Updated: 2021-07-20

CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

ASUSTeK Computer Inc. Unknown

Notified:  2021-07-06 Updated: 2021-07-20

CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Beeline Unknown

Notified:  2021-07-06 Updated: 2021-07-20

CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

British Telecommunications Unknown

Notified:  2021-07-06 Updated: 2021-07-20

CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Buffalo Technology Unknown

Notified:  2021-07-06 Updated: 2021-07-20

CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Hughes Network Systems Inc. Unknown

Notified:  2021-07-06 Updated: 2021-07-20

CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Telus Unknown

Notified:  2021-07-08 Updated: 2021-07-20

CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Verizon Unknown

Notified:  2021-07-06 Updated: 2021-07-20

CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Vodafone Group Inc. Unknown

Notified:  2021-07-06 Updated: 2021-07-20

CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.


Other Information

CVE IDs: CVE-2021-20090
Date Public: 2021-07-20
Date First Published: 2021-07-20
Date Last Updated: 2021-07-20 20:21 UTC
Document Revision: 1

Sponsored by CISA.