- A large set of modem routers from nine vendors are vulnerable to remote unauthenticated access.
- Some of these vendors have addressed the problem with a fixing patch, but not every model is covered.
- Applying any available firmware updates and disabling remote WAN access to the admin panel is advisable.
Researchers warn about a critical path traversal vulnerability affecting modems made by Arcadyan which use the same buggy firmware. The flaw is being tracked as CVE-2021-20090 and has a CVSS v3 score of 8.1 (critical). The vulnerability allows an attacker to bypass authentication on a target device remotely, potentially accessing private pages, sensitive information, tokens, or even altering the router settings. The discovery of this comes from the Tenable team, who also found two more flaws (91 and 92) that have a more limited impact (only Buffalo WSR-2533DHPL2).
The modem router devices that are vulnerable to CVE-2021-20090 are the following:
|ADB||ADSL wireless IAD router||1.26S-R-3P|
|ASMAX||BBR-4MG / SMC7908 ADSL||0.08|
|ASUS||DSL-AC88U (Arc VRV9517)||1.10.05 build502|
|ASUS||DSL-AC87VG (Arc VRV9510)||1.05.18 build305|
|Beeline||Smart Box Flash||1.00.13_beta4|
|British Telecom||WE410443-SA||1.02.12 build02|
|Buffalo||BBR-4MG||2.08 Release 0002|
|Deutsche Telekom||Speedport Smart 3||010137.4.8.001.0|
|KPN||ExperiaBox V10A (Arcadyan VRV9517)||5.00.48 build453|
|Orange||LiveBox Fibra (PRV3399)||00.96.00.96.617ES|
|Skinny||Smart Modem (Arcadyan VRV9517)||6.00.16 build01|
|SparkNZ||Smart Modem (Arcadyan VRV9517)||6.00.17 build04|
|Telecom (Argentina)||Arcadyan VRV9518VAC23-A-OS-AM||1.01.00 build44|
|Telstra||Smart Modem Gen 2 (LH1000)||0.13.01r|
|Telus||WiFi Hub (PRV65B444A-S-TS)||v3.00.20|
Tenable found out about this in January 2021 and reported the issue to the manufacturers in the months that followed. The more digging they did, the more device models and vendors were added to the list, and today, the advisory is considered to have its final form, including a total of nine modem router vendors.
The solution to the problem can only come via firmware updates, but this hasn’t been made available by all vendors and for all of the affected models. In some cases, we’re talking about EOL products, so these will have to be replaced by new ones. If you’re using any of the modems presented in the list, go ahead and check for any available firmware updates. If you’re running a vulnerable version and there’s no patch available to apply, you should be able to mitigate the risk by disabling the WAN-side administration services on your router as well as the web interface on the WAN.
As always, keep an eye on your modem vendor’s security advisory page and apply patches as soon as they’re made available. Now that the flaw has been published, malicious hackers will start scanning for vulnerable endpoints, so the exploitation rate will pick up. Hopefully, it won’t be long before most vendors respond with fixing action, but addressing the problem requires the end user's involvement. Unfortunately, there are millions affected by this flaw. This is why the CERT Coordination Center is now taking part in the effort to communicate the problem widely.