Skip to main content
close search
site logo
Dive Brief

Decade-old router flaw allows cross-network access, Tenable finds

Published Aug. 4, 2021 Updated Aug. 10, 2021
David Jones's headshot
Reporter
A woman working from home
damircudic via Getty Images

UPDATE: August 10, 2021: Threat actors are actively exploiting a more than decade-old authentication bypass vulnerability in millions of home and some business routers, CVE-2021-20090, that was disclosed last week, according to a blogpost from Juniper Networks. 

Researchers from Tenable disclosed the vulnerability, which was originally found in Buffalo consumer routers, but later traced to Arcadyan Technology. The vulnerability could allow attackers to access other devices on a network or manipulate DNS records in order to transmit malicious content to a user. 

The new activity is linked to an IP address based in Wuhan, China, and may involve an attempt to spread a Mirai botnet variant into the system, Juniper Networks said. The scripts are similar to one mentioned by Palo Alto Networks in March.

Dive Brief:

  • Researchers at Tenable have uncovered a vulnerability dating back to 2008, which could leave millions of consumer and business network routers open to malicious attack, highlighting growing concern about the security of the technology supply chain.
  • The issue involves an authentication bypass flaw, or CVE-2021-20090, that was originally found in Buffalo consumer routers but linked to software developed by Arcadyan Technology Corp. The flaw could allow an attacker to access other devices on a network or manipulate DNS records in order to serve malicious content to users, according to Tenable.
  • The devices in question span a huge swath of the global supply chain, as the flaw has been linked to 20 different models of routers or modems made by 17 different vendors in 11 countries, including the U.S., Australia, Germany, Japan, Mexico and New Zealand.

Dive Insight:

While the case does not cut to the core of the enterprise user, it highlights the potential long-term risks involved where millions of consumer and business customers have unknowingly had more than a decade of exposure to undetected vulnerability in the application supply chain.

Tenable researchers originally discovered what were thought to be flaws in a group of Buffalo routers sold in the Japanese market but quickly discovered the extent of the risks involved across multiple international markets.

"They are not particularly complicated vulnerabilities, so it is very surprising that they were never found by either the manufacturer or the vendors selling the devices," Evan Grant, staff research engineer at Tenable, told Cybersecurity Dive via email.

The vulnerability could allow an attacker to leverage the authentication bypass in order to control and reconfigure the router of a victim, according to Grant. This could potentially allow an attacker to conduct man-in-the-middle attacks. In addition, by leveraging such a vulnerability as CVE-2021-20091, an attacker could gain root access to a router and open a victim to potential exploitation from malware such as Mirai.

Tenable notified multiple vendors about the vulnerability, including Buffalo, Arcadyan, Verizon, Vodafone, O2 and HughesNet and also reported to the CERT Disclosure Center. The disclosure timeline to Buffalo Japan began in January.

The larger question raised by the research is whether manufacturers and vendors have done enough proactive testing and research to uncover potentially dangerous flaws within their products.

"It means that we can't assume code that has been around for a long time has received the research and attention it should and that there may still be vulnerabilities lurking in old code that continues to find its way into new devices," said Grant.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell