Decade-Old Router Bug Could Affect Millions of Devices

Security researchers have discovered a 12-year-old router vulnerability that they've warned may affect millions of devices globally.

Tenable research engineer, Evan Grant, explained in a blog post that he originally found the authentication bypass vulnerability in devices from manufacturer Buffalo.

However, during the disclosure process, he found that the bug actually existed in the underlying firmware from Taiwanese firm Arcadyan.

“All of the devices we were able to test or have tested via third-parties shared at least one vulnerability: the path traversal which allows an attacker to bypass authentication, now assigned as CVE-2021–20090,” he explained.

“This appears to be shared by almost every Arcadyan-manufactured router/modem we could find, including devices which were originally sold as far back as 2008.”

Tenable has claimed that the issue may affect millions of devices manufactured by 17 different vendors, used in at least 11 countries — including Australia, Germany, Japan, Mexico, New Zealand, the US.

The vulnerability in question has a CVSS score of 8.1, making it high severity. If exploited, it could allow an unauthenticated remote attacker to bypass authentication. However, Grant also found two further bugs present in Buffalo routers: improper access control flaw CVE-2021-20092 and configuration file injection vulnerability CVE-2001-20091.

As Grant discovered the potential scale of the issue, he reported it to the CERT Coordination Center to help with the process of notifying all affected vendors.

The case highlights the inherent risks in code supply chains and vulnerable software libraries.

“There is a much larger conversation to be had about how this vulnerability in Arcadyan’s firmware has existed for at least 10 years and has therefore found its way through the supply chain into at least 20 models across 17 different vendors,” Grant concluded.

“I’d also like to encourage security researchers who are able to get their hands on one of the 20+ affected devices to take a look for (and report) any post-authentication vulnerabilities like the configuration injection found in the Buffalo routers. I suspect there are a lot more issues to be found in this set of devices.”

What’s Hot on Infosecurity Magazine?