UPDATE: August 10, 2021: Threat actors are actively exploiting a more than decade-old authentication bypass vulnerability in millions of home and some business routers, CVE-2021-20090, that was disclosed last week, according to a blogpost from Juniper Networks.
Researchers from Tenable disclosed the vulnerability, which was originally found in Buffalo consumer routers, but later traced to Arcadyan Technology. The vulnerability could allow attackers to access other devices on a network or manipulate DNS records in order to transmit malicious content to a user.
The new activity is linked to an IP address based in Wuhan, China, and may involve an attempt to spread a Mirai botnet variant into the system, Juniper Networks said. The scripts are similar to one mentioned by Palo Alto Networks in March.
- Researchers at Tenable have uncovered a vulnerability dating back to 2008, which could leave millions of consumer and business network routers open to malicious attack, highlighting growing concern about the security of the technology supply chain.
- The issue involves an authentication bypass flaw, or CVE-2021-20090, that was originally found in Buffalo consumer routers but linked to software developed by Arcadyan Technology Corp. The flaw could allow an attacker to access other devices on a network or manipulate DNS records in order to serve malicious content to users, according to Tenable.
- The devices in question span a huge swath of the global supply chain, as the flaw has been linked to 20 different models of routers or modems made by 17 different vendors in 11 countries, including the U.S., Australia, Germany, Japan, Mexico and New Zealand.
While the case does not cut to the core of the enterprise user, it highlights the potential long-term risks involved where millions of consumer and business customers have unknowingly had more than a decade of exposure to undetected vulnerability in the application supply chain.
Tenable researchers originally discovered what were thought to be flaws in a group of Buffalo routers sold in the Japanese market but quickly discovered the extent of the risks involved across multiple international markets.
"They are not particularly complicated vulnerabilities, so it is very surprising that they were never found by either the manufacturer or the vendors selling the devices," Evan Grant, staff research engineer at Tenable, told Cybersecurity Dive via email.
The vulnerability could allow an attacker to leverage the authentication bypass in order to control and reconfigure the router of a victim, according to Grant. This could potentially allow an attacker to conduct man-in-the-middle attacks. In addition, by leveraging such a vulnerability as CVE-2021-20091, an attacker could gain root access to a router and open a victim to potential exploitation from malware such as Mirai.
Tenable notified multiple vendors about the vulnerability, including Buffalo, Arcadyan, Verizon, Vodafone, O2 and HughesNet and also reported to the CERT Disclosure Center. The disclosure timeline to Buffalo Japan began in January.
The larger question raised by the research is whether manufacturers and vendors have done enough proactive testing and research to uncover potentially dangerous flaws within their products.
"It means that we can't assume code that has been around for a long time has received the research and attention it should and that there may still be vulnerabilities lurking in old code that continues to find its way into new devices," said Grant.