Auth Bypass Bug Exploited, Affecting Millions of Routers


A mere three days after disclosure, cyberattackers are hijacking home routers from 20 vendors & ISPs to add them to a Mirai-variant botnet used for carrying out DDoS attacks.

An authentication-bypass vulnerability affecting multiple routers and internet-of-things (IoT) devices is being actively exploited in the wild, according to researchers.

The security flaw, tracked as CVE-2021-20090, was disclosed last week by researchers at Tenable. It affects devices from 20 different vendors and ISPs (ADB, Arcadyan, ASMAX, ASUS, Beeline, British Telecom, Buffalo, Deutsche Telekom, HughesNet, KPN, O2, Orange, Skinny, SparkNZ, Telecom [Argentina], TelMex, Telstra, Telus, Verizon and Vodafone), all of which use the same firmware from Arcadyan. In all, millions of devices worldwide could be vulnerable.

Tenable demonstrated in a proof of concept (PoC) that it’s possible to modify a device’s configuration to enable Telnet on a vulnerable router and gain root level shell access to the device.

Infosec Insiders Newsletter

“The vulnerability exists due to a list of folders which fall under a ‘bypass list’ for authentication,” according to Tenable’s advisory on August 3. “For most of the devices listed, that means that the vulnerability can be triggered by multiple paths. For a device in which http://<ip>/index.htm requires authentication, an attacker could access index.htm using the following paths:

  • http://<ip>/images/..%2findex.htm
  • http://<ip>/js/..%2findex.htm
  • http://<ip>/css/..%2findex.htm

“To have the pages load properly, one will need to use proxy match/replace settings to ensure any resources loaded which require authentication also leverage the path traversal,” the advisory continued.

Exploited to Spread Mirai Variant

Just three days after disclosure, on Friday, cybersecurity researchers from Juniper Networks said they had discovered active exploitation of the bug.

“We have identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China,” they wrote in a post. “The attacker seems to be attempting to deploy a Mirai variant on the affected routers.”

Cleaving close to Tenable’s PoC, the attackers are modifying the configuration of the attacked device to enable Telnet using “ARC_SYS_TelnetdEnable=1” to take control, according to Juniper. Then, they proceed to download the Mirai variant from a command-and-control (C2) server and execute it.

Mirai is a long-running botnet that infects connected devices and can be used to mount distributed denial-of-service (DDoS) attacks. It burst on the scene in 2016, when it overwhelmed servers at the Dyn web hosting company, taking down more than 1,200 websites, including Netflix and Twitter. Its source code was leaked later that year, after which multiple Mirai variants began to crop up, in a barrage that continues to this day.

Some of the scripts in the current set of attacks bear resemblance to previously observed activity picked up in February and March, according to Juniper.

“The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability,” researchers wrote. “Given that most people may not even be aware of the security risk and won’t be upgrading their device anytime soon, this attack tactic can be very successful, cheap and easy to carry out.”

In addition to the router bug, Juniper researchers observed the following known vulnerabilities being exploited to gain initial access to target devices:

  • CVE-2020-29557 (DLink routers)
  • CVE-2021-1497 and CVE-2021-1498 (Cisco HyperFlex)
  • CVE-2021-31755 (Tenda AC11)
  • CVE-2021-22502 (MicroFocus OBR)
  • CVE-2021-22506 (MicroFocus AM)

In fact, the attackers have been continuously adding new exploits to its arsenal, according to the posting, and CVE-2021-20090 is unlikely to be the last.

“It is clear that threat actors keep an eye on all disclosed vulnerabilities,” researchers concluded. “Whenever an exploit PoC is published, it often takes them very little time to integrate it into their platform and launch attacks.”

To avoid compromise, users should update their firmware on the router.

“In the case of IoT devices or home gateways, the situation is much worse as most users are not tech-savvy and even those who are do not get informed about potential vulnerabilities and patches to apply,” according to Juniper. “The only sure way to remedy this issue is to require vendors to offer zero-down-time automatic updates.”

Threatpost Webinar Series Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.

Suggested articles