A mere three days after disclosure, cyberattackers are hijacking home routers from 20 vendors & ISPs to add them to a Mirai-variant botnet used for carrying out DDoS attacks.
An authentication-bypass vulnerability affecting multiple routers and internet-of-things (IoT) devices is being actively exploited in the wild, according to researchers.
The security flaw, tracked as CVE-2021-20090, was disclosed last week by researchers at Tenable. It affects devices from 20 different vendors and ISPs (ADB, Arcadyan, ASMAX, ASUS, Beeline, British Telecom, Buffalo, Deutsche Telekom, HughesNet, KPN, O2, Orange, Skinny, SparkNZ, Telecom [Argentina], TelMex, Telstra, Telus, Verizon and Vodafone), all of which use the same firmware from Arcadyan. In all, millions of devices worldwide could be vulnerable.
Tenable demonstrated in a proof of concept (PoC) that it’s possible to modify a device’s configuration to enable Telnet on a vulnerable router and gain root level shell access to the device.
“The vulnerability exists due to a list of folders which fall under a ‘bypass list’ for authentication,” according to Tenable’s advisory on August 3. “For most of the devices listed, that means that the vulnerability can be triggered by multiple paths. For a device in which http://<ip>/index.htm requires authentication, an attacker could access index.htm using the following paths:
http://<ip>/images/..%2findex.htm http://<ip>/js/..%2findex.htm http://<ip>/css/..%2findex.htm “To have the pages load properly, one will need to use proxy match/replace settings to ensure any resources loaded which require authentication also leverage the path traversal,” the advisory continued.