CVE-2021-20090 actively exploited to target millions of IoT devices worldwide

Threat actors are actively exploiting a critical authentication bypass issue (CVE-2021-20090) affecting home routers with Arcadyan firmware.

Threat actors actively exploit a critical authentication bypass vulnerability, tracked as CVE-2021-20090, impacting home routers with Arcadyan firmware to deploy a Mirai bot.

“A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.” reads the advisory published by Tenable.

This flaw potentially affects millions of IOT devices manufactured by no less than 17 vendors, including some ISPs.

The ongoing attacks were spotted by researchers from Juniper Threat Labs, experts believe that were conducted by a threat actor that targeted IoT devices in a campaign since February.

“As of August 5, we have identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China. The attacker seems to be attempting to deploy a Mirai variant on the affected routers using scripts similar in name to the ones mentioned by Palo Alto Networks in March. We had witnessed the same activity starting February 18.” reads the analysis published by Juniper experts. “The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability.”

The ongoing attacks were discovered by Juniper Threat Labs researchers while monitoring the activity of a threat actor known for targeting network and IoT devices since February.

According to the experts, between June 6, 2021, and July 23, the threat actor started exploiting the following vulnerabilities:

CVE-2020-29557 (DLink routers)
CVE-2021-1497 and CVE-2021-1498 (Cisco HyperFlex)
CVE-2021-31755 (Tenda AC11)
CVE-2021-22502 (MicroFocus OBR)
CVE-2021-22506 (MicroFocus AM)
a couple more exploits from exploit-db with no related CVEs.

Experts pointed out that attackers continue to add new exploits to their arsenal.

Tenable researchers shared a list of affected devices:

`ADSL wireless IAD router`	`1.26S-R-3P`
`Arcadyan`	`ARV7519`	`00.96.00.96.617ES`
`Arcadyan`	`VRV9517`	`6.00.17 build04`
`Arcadyan`	`VGV7519`	`3.01.116`
`Arcadyan`	`VRV9518`	`1.01.00 build44`
`ASMAX`	`BBR-4MG / SMC7908 ADSL`	`0.08`
`ASUS`	`DSL-AC88U (Arc VRV9517)`	`1.10.05 build502`
`ASUS`	`DSL-AC87VG (Arc VRV9510)`	`1.05.18 build305`
`ASUS`	`DSL-AC3100`	`1.10.05 build503`
`ASUS`	`DSL-AC68VG`	`5.00.08 build272`
`Beeline`	`Smart Box Flash`	`1.00.13_beta4`
`British Telecom`	`WE410443-SA`	`1.02.12 build02`
`Buffalo`	`WSR-2533DHPL2`	`1.02`
`Buffalo`	`WSR-2533DHP3`	`1.24`
`Buffalo`	`BBR-4HG`
`Buffalo`	`BBR-4MG`	`2.08 Release 0002`
`Buffalo`	`WSR-3200AX4S`	`1.1`
`Buffalo`	`WSR-1166DHP2`	`1.15`
`Buffalo`	`WXR-5700AX7S`	`1.11`
`Deutsche Telekom`	`Speedport Smart 3`	`010137.4.8.001.0`
`HughesNet`	`HT2000W`	`0.10.10`
`KPN`	`ExperiaBox V10A (Arcadyan VRV9517)`	`5.00.48 build453`
`KPN`	`VGV7519`	`3.01.116`
`O2`	`HomeBox 6441`	`1.01.36`
`Orange`	`LiveBox Fibra (PRV3399)`	`00.96.00.96.617ES`
`Skinny`	`Smart Modem (Arcadyan VRV9517)`	`6.00.16 build01`
`SparkNZ`	`Smart Modem (Arcadyan VRV9517)`	`6.00.17 build04`
`Telecom (Argentina)`	`Arcadyan VRV9518VAC23-A-OS-AM`	`1.01.00 build44`
`TelMex`	`PRV33AC`	`1.31.005.0012`
`TelMex`	`VRV7006`
`Telstra`	`Smart Modem Gen 2 (LH1000)`	`0.13.01r`
`Telus`	`WiFi Hub (PRV65B444A-S-TS)`	`v3.00.20`
`Telus`	`NH20A`	`1.00.10debug build06`
`Verizon`	`Fios G3100`	`1.5.0.10`
`Vodafone`	`EasyBox 904`	`4.16`
`Vodafone`	`EasyBox 903`	`30.05.714`
`Vodafone`	`EasyBox 802`	`20.02.226`

The CVE-2021-20090 flaw existed in Arcadyan’s firmware for at least ten years, this means that every vendor that used it in its models automatically inherited the bug.

Researchers also shared Indicators of compromise (IOCs) associated with the last wave of attacks attributed to this threat actor.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2021-20090)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.