CERTVU:914124Arcadyan-based routers and modems vulnerable to authentication bypass
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
Overview
A path traversal vulnerability exists in numerous routers manufactured by multiple vendors using Arcadyan based software. This vulnerability allows an unauthenticated user access to sensitive information and allows for the alteration of the router configuration.
Description
The vulnerability, identified as CVE-2021-20090, is a path traversal vulnerability. An unauthenticated attacker is able to leverage this vulnerability to access resources that would normally be protected. The researcher initially thought it was limited to one router manufacturer and published their findings, but then discovered that the issue existed in the Arcadyan based software that was being used in routers from multiple vendors.
Impact
Successful exploitation of this vulnerability could allow an attacker to access pages that would otherwise require authentication. An unauthenticated attacker could gain access to sensitive information, including valid request tokens, which could be used to make requests to alter router settings.
Solution
The CERT/CC recommends updating your router to the latest available firmware version. It is also recommended to disable the remote (WAN-side) administration services on any SoHo router and also disable the web interface on the WAN.
Acknowledgements
Thanks to the reporter Evan Grant from Tenable.
This document was written by Timur Snoke.
Vendor Information
914124
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Buffalo Technology __ Affected
| Notified: 2021-07-06 Updated: 2021-08-03 CVE-2021-20090 | Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
References
Deutsche Telekom __ Affected
Notified: 2021-08-10 Updated: 2021-08-10
Statement Date: August 10, 2021
| CVE-2021-20090 | Affected |
|---|
Vendor Statement
a detailed List and Product Advisory is being created, as well as fixes.
ADTRAN Not Affected
Notified: 2021-08-10 Updated: 2021-08-10
Statement Date: August 10, 2021
| CVE-2021-20090 | Not Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
AVM GmbH __ Not Affected
Notified: 2021-08-10 Updated: 2021-08-12
Statement Date: August 12, 2021
| CVE-2021-20090 | Not Affected |
|---|
Vendor Statement
AVM does not utilize Arcadyan components.
References
Actiontec Not Affected
Notified: 2021-08-10 Updated: 2021-08-10
Statement Date: August 10, 2021
| CVE-2021-20090 | Not Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
Brocade Communication Systems __ Not Affected
Notified: 2021-08-10 Updated: 2021-08-10
Statement Date: August 10, 2021
| CVE-2021-20090 | Not Affected |
|---|
Vendor Statement
No Brocade Fibre Channel Products from Broadcom products are currently known to be affected by this vulnerability.
Check Point Not Affected
Notified: 2021-08-10 Updated: 2021-08-11
Statement Date: August 11, 2021
| CVE-2021-20090 | Not Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
Cradlepoint Not Affected
Notified: 2021-08-10 Updated: 2021-08-10
Statement Date: August 10, 2021
| CVE-2021-20090 | Not Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
Dell Not Affected
Notified: 2021-08-10 Updated: 2021-08-10
Statement Date: August 10, 2021
| CVE-2021-20090 | Not Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
F5 Networks Inc. Not Affected
Notified: 2021-08-10 Updated: 2021-08-10
Statement Date: August 10, 2021
| CVE-2021-20090 | Not Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
Intel Not Affected
Notified: 2021-08-10 Updated: 2021-08-10
Statement Date: August 10, 2021
| CVE-2021-20090 | Not Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
Juniper Networks __ Not Affected
Notified: 2021-08-10 Updated: 2021-10-07
Statement Date: October 07, 2021
| CVE-2021-20090 | Not Affected |
|---|
Vendor Statement
Juniper Networks Junos OS and Junos OS Evolved are not affected by CVE-2021-20090, CVE-2021-20091, and CVE-2021-20092.
References
- [SIR-2021-353 and PR 1613180 were created for this issue.](<SIR-2021-353 and PR 1613180 were created for this issue.>)
LANCOM Systems GmbH Not Affected
Notified: 2021-08-10 Updated: 2021-08-16
Statement Date: August 16, 2021
| CVE-2021-20090 | Not Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
OpenWRT Not Affected
Notified: 2021-08-10 Updated: 2021-08-10
Statement Date: August 10, 2021
| CVE-2021-20090 | Not Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
Peplink Not Affected
Notified: 2021-08-10 Updated: 2021-08-11
Statement Date: August 11, 2021
| CVE-2021-20090 | Not Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
Sierra Wireless Not Affected
Notified: 2021-08-10 Updated: 2021-08-10
Statement Date: August 10, 2021
| CVE-2021-20090 | Not Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
Synology Not Affected
Notified: 2021-08-10 Updated: 2021-08-12
Statement Date: August 12, 2021
| CVE-2021-20090 | Not Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
Wind River __ Not Affected
Notified: 2021-08-10 Updated: 2021-09-06
Statement Date: September 06, 2021
| CVE-2021-20090 | Not Affected |
|---|
Vendor Statement
VxWorks are not affect as we do not use Arcadyan-based routers and modems
Zyxel Not Affected
Notified: 2021-08-10 Updated: 2021-08-18
Statement Date: August 18, 2021
| CVE-2021-20090 | Not Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
dd-wrt Not Affected
Notified: 2021-08-10 Updated: 2021-08-11
Statement Date: August 11, 2021
| CVE-2021-20090 | Not Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
D-Link Systems Inc. __ Unknown
Notified: 2021-08-10 Updated: 2021-09-06
Statement Date: August 31, 2021
| CVE-2021-20090 | Unknown |
|---|
Vendor Statement
D-Link US SIRT,
After full investigation, D-Link has confirmed that no D-Link product are affected by this issue.
Regards, [email protected] William Brown D-Link US SIRT
References
- [None Applicable](<None Applicable>)
A10 Networks Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
ACCESS Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
ARRIS Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
ASUSTeK Computer Inc. Unknown
| Notified: 2021-07-06 Updated: 2021-07-20 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
AT&T Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Alcatel-Lucent Enterprise Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Arcadyan Unknown
| Notified: 2021-07-06 Updated: 2021-07-20 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Avaya Inc. Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Beeline Unknown
| Notified: 2021-07-06 Updated: 2021-07-20 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Belkin Inc. Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
British Telecommunications Unknown
| Notified: 2021-07-06 Updated: 2021-07-20 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Cisco Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Comcast Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Commscope Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Extreme Networks Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
F-Secure Corporation Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Hitachi Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Huawei Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Hughes Network Systems Inc. Unknown
| Notified: 2021-07-06 Updated: 2021-07-20 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
IBM Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Linksys Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
MikroTik Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Mitel Networks Inc. Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Motorola Inc. Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
NETGEAR Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
NetComm Wireless Limited Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Nokia Unknown
Notified: 2021-08-10 Updated: 2021-08-10
Statement Date: August 10, 2021
| CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Quagga Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Quantenna Communications Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Ruckus Wireless Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
SMC Networks Inc. Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
TDS Telecom Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
TP-LINK Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Technicolor Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Telus Unknown
| Notified: 2021-07-08 Updated: 2021-07-20 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Ubiquiti Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Verizon Unknown
| Notified: 2021-07-06 Updated: 2021-07-20 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Vodafone Group Inc. Unknown
| Notified: 2021-07-06 Updated: 2021-07-20 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
eero Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
pfSense Unknown
| Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
View all 61 vendors __View less vendors __
References
- <https://www.tenable.com/security/research/tra-2021-13>
- <https://vulners.com/cve/CVE-2021-20090>
- <https://www.buffalo.jp/news/detail/20210427-03.html>
- <https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2>
Other Information
| CVE IDs: | CVE-2021-20090 |
|---|---|
| Date Public: | 2021-07-20 Date First Published: |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%