Multiple Modem Routers Vulnerable to Unauthenticated Attacks

• A large set of modem routers from nine vendors are vulnerable to remote unauthenticated access.
• Some of these vendors have addressed the problem with a fixing patch, but not every model is covered.
• Applying any available firmware updates and disabling remote WAN access to the admin panel is advisable.

Researchers warn about a critical path traversal vulnerability affecting modems made by Arcadyan which use the same buggy firmware. The flaw is being tracked as CVE-2021-20090 and has a CVSS v3 score of 8.1 (critical). The vulnerability allows an attacker to bypass authentication on a target device remotely, potentially accessing private pages, sensitive information, tokens, or even altering the router settings. The discovery of this comes from the Tenable team, who also found two more flaws (91 and 92) that have a more limited impact (only Buffalo WSR-2533DHPL2).

The modem router devices that are vulnerable to CVE-2021-20090 are the following:

Vendor	Device	Vulnerable Version
ADB	ADSL wireless IAD router	1.26S-R-3P
Arcadyan	ARV7519	00.96.00.96.617ES
Arcadyan	VRV9517	6.00.17 build04
Arcadyan	VGV7519	3.01.116
Arcadyan	VRV9518	1.01.00 build44
ASMAX	BBR-4MG / SMC7908 ADSL	0.08
ASUS	DSL-AC88U (Arc VRV9517)	1.10.05 build502
ASUS	DSL-AC87VG (Arc VRV9510)	1.05.18 build305
ASUS	DSL-AC3100	1.10.05 build503
ASUS	DSL-AC68VG	5.00.08 build272
Beeline	Smart Box Flash	1.00.13_beta4
British Telecom	WE410443-SA	1.02.12 build02
Buffalo	WSR-2533DHPL2	1.02
Buffalo	WSR-2533DHP3	1.24
Buffalo	BBR-4HG
Buffalo	BBR-4MG	2.08 Release 0002
Buffalo	WSR-3200AX4S	1.1
Buffalo	WSR-1166DHP2	1.15
Buffalo	WXR-5700AX7S	1.11
Deutsche Telekom	Speedport Smart 3	010137.4.8.001.0
HughesNet	HT2000W	0.10.10
KPN	ExperiaBox V10A (Arcadyan VRV9517)	5.00.48 build453
KPN	VGV7519	3.01.116
O2	HomeBox 6441	1.01.36
Orange	LiveBox Fibra (PRV3399)	00.96.00.96.617ES
Skinny	Smart Modem (Arcadyan VRV9517)	6.00.16 build01
SparkNZ	Smart Modem (Arcadyan VRV9517)	6.00.17 build04
Telecom (Argentina)	Arcadyan VRV9518VAC23-A-OS-AM	1.01.00 build44
TelMex	PRV33AC	1.31.005.0012
TelMex	VRV7006
Telstra	Smart Modem Gen 2 (LH1000)	0.13.01r
Telus	WiFi Hub (PRV65B444A-S-TS)	v3.00.20
Telus	NH20A	1.00.10debug build06
Verizon	Fios G3100	1.5.0.10
Vodafone	EasyBox 904	4.16
Vodafone	EasyBox 903	30.05.714
Vodafone	EasyBox 802	20.02.226

Tenable found out about this in January 2021 and reported the issue to the manufacturers in the months that followed. The more digging they did, the more device models and vendors were added to the list, and today, the advisory is considered to have its final form, including a total of nine modem router vendors.

The solution to the problem can only come via firmware updates, but this hasn’t been made available by all vendors and for all of the affected models. In some cases, we’re talking about EOL products, so these will have to be replaced by new ones. If you’re using any of the modems presented in the list, go ahead and check for any available firmware updates. If you’re running a vulnerable version and there’s no patch available to apply, you should be able to mitigate the risk by disabling the WAN-side administration services on your router as well as the web interface on the WAN.

As always, keep an eye on your modem vendor’s security advisory page and apply patches as soon as they’re made available. Now that the flaw has been published, malicious hackers will start scanning for vulnerable endpoints, so the exploitation rate will pick up. Hopefully, it won’t be long before most vendors respond with fixing action, but addressing the problem requires the end user's involvement. Unfortunately, there are millions affected by this flaw. This is why the CERT Coordination Center is now taking part in the effort to communicate the problem widely.