CVE-2021-20090 actively exploited to target millions of IoT devices worldwide

Pierluigi Paganini August 07, 2021

Threat actors are actively exploiting a critical authentication bypass issue (CVE-2021-20090) affecting home routers with Arcadyan firmware.

Threat actors actively exploit a critical authentication bypass vulnerability, tracked as CVE-2021-20090, impacting home routers with Arcadyan firmware to deploy a Mirai bot.

“A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.” reads the advisory published by Tenable.

This flaw potentially affects millions of IOT devices manufactured by no less than 17 vendors, including some ISPs. 

The ongoing attacks were spotted by researchers from Juniper Threat Labs, experts believe that were conducted by a threat actor that targeted IoT devices in a campaign since February.

“As of August 5, we have identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China. The attacker seems to be attempting to deploy a Mirai variant on the affected routers using scripts similar in name to the ones mentioned by Palo Alto Networks in March. We had witnessed the same activity starting February 18.” reads the analysis published by Juniper experts. “The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability.”

The ongoing attacks were discovered by Juniper Threat Labs researchers while monitoring the activity of a threat actor known for targeting network and IoT devices since February.

According to the experts, between June 6, 2021, and July 23, the threat actor started exploiting the following vulnerabilities:

  1. CVE-2020-29557 (DLink routers)
  2. CVE-2021-1497 and CVE-2021-1498 (Cisco HyperFlex)
  3. CVE-2021-31755  (Tenda AC11)
  4. CVE-2021-22502 (MicroFocus OBR)
  5. CVE-2021-22506 (MicroFocus AM)
  6. a couple more exploits from exploit-db with no related CVEs.

Experts pointed out that attackers continue to add new exploits to their arsenal.

Tenable researchers shared a list of affected devices:

ADSL wireless IAD router
ArcadyanVRV95176.00.17 build04
ArcadyanVRV95181.01.00 build44
ASUSDSL-AC88U (Arc VRV9517)1.10.05 build502
ASUSDSL-AC87VG (Arc VRV9510)1.05.18 build305
ASUSDSL-AC31001.10.05 build503
ASUSDSL-AC68VG5.00.08 build272
BeelineSmart Box Flash1.00.13_beta4
British TelecomWE410443-SA1.02.12 build02
BuffaloBBR-4MG2.08 Release 0002
Deutsche TelekomSpeedport Smart 3010137.
KPNExperiaBox V10A (Arcadyan VRV9517)5.00.48 build453
O2HomeBox 64411.01.36
OrangeLiveBox Fibra (PRV3399)
SkinnySmart Modem (Arcadyan VRV9517)6.00.16 build01
SparkNZSmart Modem (Arcadyan VRV9517)6.00.17 build04
Telecom (Argentina)Arcadyan VRV9518VAC23-A-OS-AM1.01.00 build44
TelstraSmart Modem Gen 2 (LH1000)0.13.01r
TelusWiFi Hub (PRV65B444A-S-TS)v3.00.20
TelusNH20A1.00.10debug build06
VerizonFios G31001.5.0.10
VodafoneEasyBox 9044.16
VodafoneEasyBox 90330.05.714
VodafoneEasyBox 80220.02.226

The CVE-2021-20090 flaw existed in Arcadyan’s firmware for at least ten years, this means that every vendor that used it in its models automatically inherited the bug.

Researchers also shared Indicators of compromise (IOCs) associated with the last wave of attacks attributed to this threat actor.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2021-20090)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment