At least 20 router models have been found to have a 12-year-old authentication bypass vulnerability that might allow attackers to hijack networks and devices, possibly affecting millions of users. The critical path traversal bug was discovered by Evan Grant of Tenable and is tracked as CVE-2021–20090 with a CVSS of 9.8. It can be exploited by unauthenticated, remote attackers. Grant discovered the problem in Buffalo routers, notably the Arcadyan-based web interface software.
Grant discovered that bypass check() only checked as many bytes as there were in the bypass_list strings. Grant was able to circumvent authentication by exploiting this flaw, letting unauthenticated users view pages they shouldn't be able to. Two more vulnerabilities, CVE-2021-20091 and CVE-2021-20092, were discovered, however, they only target specific Buffalo routers at this time.
According to Grant, this latest revelation raises concerns about the danger of supply chain attacks, which are becoming a more common and serious threat to businesses and technology users. “There is a much larger conversation to be had about how this vulnerability in Arcadyan’s firmware has existed for at least 10 years and has therefore found its way through the supply chain into at least 20 models across 17 different vendors,” Grant wrote. "Consequently, we were surprised they hadn’t been discovered and fixed by the manufacturer or vendors who are selling affected devices over the past decade."
On Friday, just three days following the bug's disclosure, Juniper Networks cybersecurity researchers announced that they had detected active exploitation of the bug. “We have identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China,” they wrote in a post. “The attacker seems to be attempting to deploy a Mirai variant on the affected routers.”
Mirai is a long-running botnet that can be used to launch distributed denial-of-service (DDoS) attacks by infecting linked devices. It first appeared in 2016, when it overloaded Dyn web hosting servers, bringing down over 1,200 websites, including Netflix and Twitter. Its source code was disclosed later that year, prompting the emergence of additional Mirai versions.
According to Juniper, several of the scripts used in the latest wave of assaults are similar to those used in prior attacks in February and March. “The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability,” researchers wrote.
