Overview
A path traversal vulnerability exists in numerous routers manufactured by multiple vendors using Arcadyan based software. This vulnerability allows an unauthenticated user access to sensitive information and allows for the alteration of the router configuration.
Description
The vulnerability, identified as CVE-2021-20090, is a path traversal vulnerability. An unauthenticated attacker is able to leverage this vulnerability to access resources that would normally be protected. The researcher initially thought it was limited to one router manufacturer and published their findings, but then discovered that the issue existed in the Arcadyan based software that was being used in routers from multiple vendors.
Impact
Successful exploitation of this vulnerability could allow an attacker to access pages that would otherwise require authentication. An unauthenticated attacker could gain access to sensitive information, including valid request tokens, which could be used to make requests to alter router settings.
Solution
The CERT/CC recommends updating your router to the latest available firmware version. It is also recommended to disable the remote (WAN-side) administration services on any SoHo router and also disable the web interface on the WAN.
Acknowledgements
Thanks to the reporter Evan Grant from Tenable.
This document was written by Timur Snoke.
Vendor Information
Buffalo Technology Affected
| CVE-2021-20090 | Affected |
Vendor Statement
We have not received a statement from the vendor.
References
Deutsche Telekom Affected
Statement Date: August 10, 2021
| CVE-2021-20090 | Affected |
Vendor Statement
a detailed List and Product Advisory is being created, as well as fixes.
ADTRAN Not Affected
Statement Date: August 10, 2021
| CVE-2021-20090 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
AVM GmbH Not Affected
Statement Date: August 12, 2021
| CVE-2021-20090 | Not Affected |
Vendor Statement
AVM does not utilize Arcadyan components.
References
Actiontec Not Affected
Statement Date: August 10, 2021
| CVE-2021-20090 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Brocade Communication Systems Not Affected
Statement Date: August 10, 2021
| CVE-2021-20090 | Not Affected |
Vendor Statement
No Brocade Fibre Channel Products from Broadcom products are currently known to be affected by this vulnerability.
Check Point Not Affected
Statement Date: August 11, 2021
| CVE-2021-20090 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Cradlepoint Not Affected
Statement Date: August 10, 2021
| CVE-2021-20090 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Dell Not Affected
Statement Date: August 10, 2021
| CVE-2021-20090 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
F5 Networks Inc. Not Affected
Statement Date: August 10, 2021
| CVE-2021-20090 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Intel Not Affected
Statement Date: August 10, 2021
| CVE-2021-20090 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Juniper Networks Not Affected
Statement Date: October 07, 2021
| CVE-2021-20090 | Not Affected |
Vendor Statement
Juniper Networks Junos OS and Junos OS Evolved are not affected by CVE-2021-20090, CVE-2021-20091, and CVE-2021-20092.
References
LANCOM Systems GmbH Not Affected
Statement Date: August 16, 2021
| CVE-2021-20090 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
OpenWRT Not Affected
Statement Date: August 10, 2021
| CVE-2021-20090 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Peplink Not Affected
Statement Date: August 11, 2021
| CVE-2021-20090 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Sierra Wireless Not Affected
Statement Date: August 10, 2021
| CVE-2021-20090 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Synology Not Affected
Statement Date: August 12, 2021
| CVE-2021-20090 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Wind River Not Affected
Statement Date: September 06, 2021
| CVE-2021-20090 | Not Affected |
Vendor Statement
VxWorks are not affect as we do not use Arcadyan-based routers and modems
Zyxel Not Affected
Statement Date: August 18, 2021
| CVE-2021-20090 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
dd-wrt Not Affected
Statement Date: August 11, 2021
| CVE-2021-20090 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
D-Link Systems Inc. Unknown
Statement Date: August 31, 2021
| CVE-2021-20090 | Unknown |
Vendor Statement
D-Link US SIRT,
After full investigation, D-Link has confirmed that no D-Link product are affected by this issue.
Regards, security@dlink.com William Brown D-Link US SIRT
References
A10 Networks Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
ACCESS Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
ARRIS Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
ASUSTeK Computer Inc. Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
AT&T Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Alcatel-Lucent Enterprise Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Arcadyan Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Avaya Inc. Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Beeline Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Belkin Inc. Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
British Telecommunications Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Cisco Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Comcast Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Commscope Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Extreme Networks Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
F-Secure Corporation Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Hitachi Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Huawei Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Hughes Network Systems Inc. Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
IBM Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Linksys Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
MikroTik Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Mitel Networks Inc. Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Motorola Inc. Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
NETGEAR Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
NetComm Wireless Limited Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Nokia Unknown
Statement Date: August 10, 2021
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Quagga Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Quantenna Communications Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Ruckus Wireless Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
SMC Networks Inc. Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
TDS Telecom Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
TP-LINK Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Technicolor Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Telus Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Ubiquiti Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Verizon Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Vodafone Group Inc. Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
eero Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
pfSense Unknown
| CVE-2021-20090 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
References
- https://www.tenable.com/security/research/tra-2021-13
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20090
- https://www.buffalo.jp/news/detail/20210427-03.html
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
Other Information
| CVE IDs: | CVE-2021-20090 |
| Date Public: | 2021-07-20 |
| Date First Published: | 2021-07-20 |
| Date Last Updated: | 2021-10-07 20:26 UTC |
| Document Revision: | 15 |