Home / About / Threat Intelligence / Home worker's routers likely exposed to critical vulnerability

Overview

A vulnerability in the firmware of a number of common home routers has been identified being actively exploited in order to install the Mirai botnet.

Routers running Arcadyan firmware are susceptible to a critical path traversal vulnerability in their web interface. The severity of which has been graded as 9.9/10.

The vulnerability has existed in Arcadyan’s firmware for more than 10 years and has been found to be present in at least 20 different models across 17 different vendors.

While the vulnerability has been seen to be being actively exploited in order to deploy the Mirai botnet it is likely to become significantly more malicious as proof-of-concept code has been released and wider awareness has been drawn to the issue.

Impact

An unauthenticated remote attacker could bypass authentication in order to take over the device and use it to their own ends.

Are my systems vulnerable and what products are affected?

It is unlikely that corporate routers are affected unless you are using equipment typically found within the domestic market. However, given the prevalence of remote working this may affect your staff’s home networks to which your corporate devices may be connected. This may therefore provide attackers with the potential for a man-in-the-middle (MitM) attack or a platform from which to scan and enumerate corporate devices.

Vendor Device Found on version

  • ADB ADSL wireless IAD router 1.26S-R-3P
  • Arcadyan ARV7519 00.96.00.96.617ES
  • Arcadyan VRV9517 6.00.17 build04
  • Arcadyan VGV7519 3.01.116
  • Arcadyan VRV9518 1.01.00 build44
  • ASMAX BBR-4MG / SMC7908 ADSL 0.08
  • ASUS DSL-AC88U (Arc VRV9517) 1.10.05 build502
  • ASUS DSL-AC87VG (Arc VRV9510) 1.05.18 build305
  • ASUS DSL-AC3100 1.10.05 build503
  • ASUS DSL-AC68VG 5.00.08 build272
  • Beeline Smart Box Flash 1.00.13_beta4
  • British Telecom WE410443-SA 1.02.12 build02
  • Buffalo WSR-2533DHPL2 1.02
  • Buffalo WSR-2533DHP3 1.24
  • Buffalo BBR-4HG
  • Buffalo BBR-4MG 2.08 Release 0002
  • Buffalo WSR-3200AX4S 1.1
  • Buffalo WSR-1166DHP2 1.15
  • Buffalo WXR-5700AX7S 1.11
  • Deutsche Telekom Speedport Smart 3 010137.4.8.001.0
  • HughesNet HT2000W 0.10.10
  • KPN ExperiaBox V10A (Arcadyan VRV9517) 5.00.48 build453
  • KPN VGV7519 3.01.116
  • O2 HomeBox 6441 1.01.36
  • Orange LiveBox Fibra (PRV3399) 00.96.00.96.617ES
  • Skinny Smart Modem (Arcadyan VRV9517) 6.00.16 build01
  • SparkNZ Smart Modem (Arcadyan VRV9517) 6.00.17 build04
  • Telecom (Argentina) Arcadyan VRV9518VAC23-A-OS-AM 1.01.00 build44
  • TelMex PRV33AC 1.31.005.0012
  • TelMex VRV7006
  • Telstra Smart Modem Gen 2 (LH1000) 0.13.01r
  • Telus WiFi Hub (PRV65B444A-S-TS) v3.00.20
  • Telus NH20A 1.00.10debug build06
  • Verizon Fios G3100 1.5.0.10
  • Vodafone EasyBox 904 4.16
  • Vodafone EasyBox 903 30.05.714
  • Vodafone EasyBox 802 20.02.226

Vulnerability Detection

This may be a difficult and contentious issue given that these devices are typically out-of-scope of corporate vulnerability management systems and would likely impact on licensing costs as well as staff privacy. Employees may be directed to tools such as Tenable’s Nessus Essentials, or Qualys Community Edition, in order to perform vulnerability assessments of their own equipment, however this will require them to provide personal details in order to access the download and updates.

Containment, Mitigations & Remediations

While Arcadyan confirmed the vulnerability and stated that they are working with one partner for a fix it is not yet clear if a patch is available. This may be complicated further as many ISPs have applied their own custom interfaces/branding to the devices. Owners of these devices should check with their providers for updates and apply them as soon as possible.

Indicators of Compromise

Attack source IP: 27.22.80[.]19
Shell script and binaries downloaded from: 212.192.241[.]72

Shell script:
9793ac5afd1be5ec55476d2c205260d1b7af6db7cc29a9dc0f7fbee68a177c78 lolol.sh

Dark binaries:
73edf8bfbbeaccdd84204f24402dcf488c3533be2682724e5906396b9237411d dark.arm5
8bb454cd942ce6680f083edf88ffa31661a47a45eb3681e1b36dd05043315399 dark.mips
f83eadaa00e81ad51e3ab479b900b981346895b99d045a6b6f77491c3132b58c dark.m68k
e4bc34e321b31926fd2fa1696136187b13864dfa03fba6848e59f9f72bfa9529 dark.sh4
80331cf89f3e6026b33b8f1bfa1c304295b9327311661d7927f78824f04cf528 dark.arm6
904f9b2e029595365f4f4426069b274810510908c7dd23a3791a831f51e9f1fc dark.mpsl
283f932f30756408a59dac97a6965eb792915242214d590eab1c6cb049148582 dark.x86
c2f5bbf35afc7335f789e420c23c43a069ecfcca1a8f9fac5cd554a7a769440e dark.arm7
70764ef9800c1d09f965fbb9698d0eda52448b23772d118f2f2c4ba37b59fc20 dark.ppc

Further Information

Juniper Networks Blogs – Freshly disclosed vulnerability CVE-2021-20090 exploited in the wild
Bleeping Computer
Tenable TechBlog Medium – Bypassing Authentication on Arcadyan Routers with CVE-2021–20090 and rooting some Buffalo
Tenable – Multiple Vulnerabilities in Buffalo and Arcadyan manufactured routers
Tenable Whitepaper – Router Vulnerability Present for a Decade