Multiple Modem Routers Vulnerable to Unauthenticated Attacks

  • A large set of modem routers from nine vendors are vulnerable to remote unauthenticated access.
  • Some of these vendors have addressed the problem with a fixing patch, but not every model is covered.
  • Applying any available firmware updates and disabling remote WAN access to the admin panel is advisable.

Researchers warn about a critical path traversal vulnerability affecting modems made by Arcadyan which use the same buggy firmware. The flaw is being tracked as CVE-2021-20090 and has a CVSS v3 score of 8.1 (critical). The vulnerability allows an attacker to bypass authentication on a target device remotely, potentially accessing private pages, sensitive information, tokens, or even altering the router settings. The discovery of this comes from the Tenable team, who also found two more flaws (91 and 92) that have a more limited impact (only Buffalo WSR-2533DHPL2).

The modem router devices that are vulnerable to CVE-2021-20090 are the following:

Vendor Device Vulnerable Version
ADB ADSL wireless IAD router 1.26S-R-3P
Arcadyan ARV7519 00.96.00.96.617ES
Arcadyan VRV9517 6.00.17 build04
Arcadyan VGV7519 3.01.116
Arcadyan VRV9518 1.01.00 build44
ASMAX BBR-4MG / SMC7908 ADSL 0.08
ASUS DSL-AC88U (Arc VRV9517) 1.10.05 build502
ASUS DSL-AC87VG (Arc VRV9510) 1.05.18 build305
ASUS DSL-AC3100 1.10.05 build503
ASUS DSL-AC68VG 5.00.08 build272
Beeline Smart Box Flash 1.00.13_beta4
British Telecom WE410443-SA 1.02.12 build02
Buffalo WSR-2533DHPL2 1.02
Buffalo WSR-2533DHP3 1.24
Buffalo BBR-4HG
Buffalo BBR-4MG 2.08 Release 0002
Buffalo WSR-3200AX4S 1.1
Buffalo WSR-1166DHP2 1.15
Buffalo WXR-5700AX7S 1.11
Deutsche Telekom Speedport Smart 3 010137.4.8.001.0
HughesNet HT2000W 0.10.10
KPN ExperiaBox V10A (Arcadyan VRV9517) 5.00.48 build453
KPN VGV7519 3.01.116
O2 HomeBox 6441 1.01.36
Orange LiveBox Fibra (PRV3399) 00.96.00.96.617ES
Skinny Smart Modem (Arcadyan VRV9517) 6.00.16 build01
SparkNZ Smart Modem (Arcadyan VRV9517) 6.00.17 build04
Telecom (Argentina) Arcadyan VRV9518VAC23-A-OS-AM 1.01.00 build44
TelMex PRV33AC 1.31.005.0012
TelMex VRV7006
Telstra Smart Modem Gen 2 (LH1000) 0.13.01r
Telus WiFi Hub (PRV65B444A-S-TS) v3.00.20
Telus NH20A 1.00.10debug build06
Verizon Fios G3100 1.5.0.10
Vodafone EasyBox 904 4.16
Vodafone EasyBox 903 30.05.714
Vodafone EasyBox 802 20.02.226

Tenable found out about this in January 2021 and reported the issue to the manufacturers in the months that followed. The more digging they did, the more device models and vendors were added to the list, and today, the advisory is considered to have its final form, including a total of nine modem router vendors.

The solution to the problem can only come via firmware updates, but this hasn’t been made available by all vendors and for all of the affected models. In some cases, we’re talking about EOL products, so these will have to be replaced by new ones. If you’re using any of the modems presented in the list, go ahead and check for any available firmware updates. If you’re running a vulnerable version and there’s no patch available to apply, you should be able to mitigate the risk by disabling the WAN-side administration services on your router as well as the web interface on the WAN.

As always, keep an eye on your modem vendor’s security advisory page and apply patches as soon as they’re made available. Now that the flaw has been published, malicious hackers will start scanning for vulnerable endpoints, so the exploitation rate will pick up. Hopefully, it won’t be long before most vendors respond with fixing action, but addressing the problem requires the end user’s involvement. Unfortunately, there are millions affected by this flaw. This is why the CERT Coordination Center is now taking part in the effort to communicate the problem widely.

REVIEW OVERVIEW

Latest

Intel Revises Manufacturing Process Development Roadmap and it Looks Promising

Intel declares ready to leave the ear of massive delays behind and finally get back on track.The American chipmaker promises to release...

Kazakhstan Blocks LinkedIn Over Illegal Casino Advertisements and Fake Accounts

Kazakhstan says LinkedIn violated its online advertisement rules and posted casino ads on the platform.For this reason and also for the existence...

Monero Bug May Have Exposed the Privacy of Transactions for a Small Number of Users

Monero transactions could be de-obfuscated thanks to a nasty bug in the decoy algorithm.The flaw affects transactions made quickly after a user...