Get in Touch
A vulnerability in the firmware of a number of common home routers has been identified being actively exploited in order to install the Mirai botnet.
Routers running Arcadyan firmware are susceptible to a critical path traversal vulnerability in their web interface. The severity of which has been graded as 9.9/10.
The vulnerability has existed in Arcadyan’s firmware for more than 10 years and has been found to be present in at least 20 different models across 17 different vendors.
While the vulnerability has been seen to be being actively exploited in order to deploy the Mirai botnet it is likely to become significantly more malicious as proof-of-concept code has been released and wider awareness has been drawn to the issue.
An unauthenticated remote attacker could bypass authentication in order to take over the device and use it to their own ends.
Are my systems vulnerable and what products are affected?
It is unlikely that corporate routers are affected unless you are using equipment typically found within the domestic market. However, given the prevalence of remote working this may affect your staff’s home networks to which your corporate devices may be connected. This may therefore provide attackers with the potential for a man-in-the-middle (MitM) attack or a platform from which to scan and enumerate corporate devices.
Vendor Device Found on version
- ADB ADSL wireless IAD router 1.26S-R-3P
- Arcadyan ARV7519 00.96.00.96.617ES
- Arcadyan VRV9517 6.00.17 build04
- Arcadyan VGV7519 3.01.116
- Arcadyan VRV9518 1.01.00 build44
- ASMAX BBR-4MG / SMC7908 ADSL 0.08
- ASUS DSL-AC88U (Arc VRV9517) 1.10.05 build502
- ASUS DSL-AC87VG (Arc VRV9510) 1.05.18 build305
- ASUS DSL-AC3100 1.10.05 build503
- ASUS DSL-AC68VG 5.00.08 build272
- Beeline Smart Box Flash 1.00.13_beta4
- British Telecom WE410443-SA 1.02.12 build02
- Buffalo WSR-2533DHPL2 1.02
- Buffalo WSR-2533DHP3 1.24
- Buffalo BBR-4HG
- Buffalo BBR-4MG 2.08 Release 0002
- Buffalo WSR-3200AX4S 1.1
- Buffalo WSR-1166DHP2 1.15
- Buffalo WXR-5700AX7S 1.11
- Deutsche Telekom Speedport Smart 3 010137.4.8.001.0
- HughesNet HT2000W 0.10.10
- KPN ExperiaBox V10A (Arcadyan VRV9517) 5.00.48 build453
- KPN VGV7519 3.01.116
- O2 HomeBox 6441 1.01.36
- Orange LiveBox Fibra (PRV3399) 00.96.00.96.617ES
- Skinny Smart Modem (Arcadyan VRV9517) 6.00.16 build01
- SparkNZ Smart Modem (Arcadyan VRV9517) 6.00.17 build04
- Telecom (Argentina) Arcadyan VRV9518VAC23-A-OS-AM 1.01.00 build44
- TelMex PRV33AC 1.31.005.0012
- TelMex VRV7006
- Telstra Smart Modem Gen 2 (LH1000) 0.13.01r
- Telus WiFi Hub (PRV65B444A-S-TS) v3.00.20
- Telus NH20A 1.00.10debug build06
- Verizon Fios G3100 184.108.40.206
- Vodafone EasyBox 904 4.16
- Vodafone EasyBox 903 30.05.714
- Vodafone EasyBox 802 20.02.226
This may be a difficult and contentious issue given that these devices are typically out-of-scope of corporate vulnerability management systems and would likely impact on licensing costs as well as staff privacy. Employees may be directed to tools such as Tenable’s Nessus Essentials, or Qualys Community Edition, in order to perform vulnerability assessments of their own equipment, however this will require them to provide personal details in order to access the download and updates.
Containment, Mitigations & Remediations
While Arcadyan confirmed the vulnerability and stated that they are working with one partner for a fix it is not yet clear if a patch is available. This may be complicated further as many ISPs have applied their own custom interfaces/branding to the devices. Owners of these devices should check with their providers for updates and apply them as soon as possible.
Indicators of Compromise
Attack source IP: 27.22.80[.]19
Shell script and binaries downloaded from: 212.192.241[.]72
Juniper Networks Blogs – Freshly disclosed vulnerability CVE-2021-20090 exploited in the wild
Tenable TechBlog Medium – Bypassing Authentication on Arcadyan Routers with CVE-2021–20090 and rooting some Buffalo
Tenable – Multiple Vulnerabilities in Buffalo and Arcadyan manufactured routers
Tenable Whitepaper – Router Vulnerability Present for a Decade