Lucene search

K
certCERTVU:914124
HistoryJul 20, 2021 - 12:00 a.m.

Arcadyan-based routers and modems vulnerable to authentication bypass

2021-07-2000:00:00
www.kb.cert.org
74

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.975

Percentile

100.0%

Overview

A path traversal vulnerability exists in numerous routers manufactured by multiple vendors using Arcadyan based software. This vulnerability allows an unauthenticated user access to sensitive information and allows for the alteration of the router configuration.

Description

The vulnerability, identified as CVE-2021-20090, is a path traversal vulnerability. An unauthenticated attacker is able to leverage this vulnerability to access resources that would normally be protected. The researcher initially thought it was limited to one router manufacturer and published their findings, but then discovered that the issue existed in the Arcadyan based software that was being used in routers from multiple vendors.

Impact

Successful exploitation of this vulnerability could allow an attacker to access pages that would otherwise require authentication. An unauthenticated attacker could gain access to sensitive information, including valid request tokens, which could be used to make requests to alter router settings.

Solution

The CERT/CC recommends updating your router to the latest available firmware version. It is also recommended to disable the remote (WAN-side) administration services on any SoHo router and also disable the web interface on the WAN.

Acknowledgements

Thanks to the reporter Evan Grant from Tenable.

This document was written by Timur Snoke.

Vendor Information

914124

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Buffalo Technology __ Affected

Notified: 2021-07-06 Updated: 2021-08-03 CVE-2021-20090 Affected

Vendor Statement

We have not received a statement from the vendor.

References

Deutsche Telekom __ Affected

Notified: 2021-08-10 Updated: 2021-08-10

Statement Date: August 10, 2021

CVE-2021-20090 Affected

Vendor Statement

a detailed List and Product Advisory is being created, as well as fixes.

ADTRAN Not Affected

Notified: 2021-08-10 Updated: 2021-08-10

Statement Date: August 10, 2021

CVE-2021-20090 Not Affected

Vendor Statement

We have not received a statement from the vendor.

AVM GmbH __ Not Affected

Notified: 2021-08-10 Updated: 2021-08-12

Statement Date: August 12, 2021

CVE-2021-20090 Not Affected

Vendor Statement

AVM does not utilize Arcadyan components.

References

Actiontec Not Affected

Notified: 2021-08-10 Updated: 2021-08-10

Statement Date: August 10, 2021

CVE-2021-20090 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Brocade Communication Systems __ Not Affected

Notified: 2021-08-10 Updated: 2021-08-10

Statement Date: August 10, 2021

CVE-2021-20090 Not Affected

Vendor Statement

No Brocade Fibre Channel Products from Broadcom products are currently known to be affected by this vulnerability.

Check Point Not Affected

Notified: 2021-08-10 Updated: 2021-08-11

Statement Date: August 11, 2021

CVE-2021-20090 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Cradlepoint Not Affected

Notified: 2021-08-10 Updated: 2021-08-10

Statement Date: August 10, 2021

CVE-2021-20090 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Dell Not Affected

Notified: 2021-08-10 Updated: 2021-08-10

Statement Date: August 10, 2021

CVE-2021-20090 Not Affected

Vendor Statement

We have not received a statement from the vendor.

F5 Networks Inc. Not Affected

Notified: 2021-08-10 Updated: 2021-08-10

Statement Date: August 10, 2021

CVE-2021-20090 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Intel Not Affected

Notified: 2021-08-10 Updated: 2021-08-10

Statement Date: August 10, 2021

CVE-2021-20090 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Juniper Networks __ Not Affected

Notified: 2021-08-10 Updated: 2021-10-07

Statement Date: October 07, 2021

CVE-2021-20090 Not Affected

Vendor Statement

Juniper Networks Junos OS and Junos OS Evolved are not affected by CVE-2021-20090, CVE-2021-20091, and CVE-2021-20092.

References

  • [SIR-2021-353 and PR 1613180 were created for this issue.](<SIR-2021-353 and PR 1613180 were created for this issue.>)

LANCOM Systems GmbH Not Affected

Notified: 2021-08-10 Updated: 2021-08-16

Statement Date: August 16, 2021

CVE-2021-20090 Not Affected

Vendor Statement

We have not received a statement from the vendor.

OpenWRT Not Affected

Notified: 2021-08-10 Updated: 2021-08-10

Statement Date: August 10, 2021

CVE-2021-20090 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Peplink Not Affected

Notified: 2021-08-10 Updated: 2021-08-11

Statement Date: August 11, 2021

CVE-2021-20090 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Sierra Wireless Not Affected

Notified: 2021-08-10 Updated: 2021-08-10

Statement Date: August 10, 2021

CVE-2021-20090 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Synology Not Affected

Notified: 2021-08-10 Updated: 2021-08-12

Statement Date: August 12, 2021

CVE-2021-20090 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Wind River __ Not Affected

Notified: 2021-08-10 Updated: 2021-09-06

Statement Date: September 06, 2021

CVE-2021-20090 Not Affected

Vendor Statement

VxWorks are not affect as we do not use Arcadyan-based routers and modems

Zyxel Not Affected

Notified: 2021-08-10 Updated: 2021-08-18

Statement Date: August 18, 2021

CVE-2021-20090 Not Affected

Vendor Statement

We have not received a statement from the vendor.

dd-wrt Not Affected

Notified: 2021-08-10 Updated: 2021-08-11

Statement Date: August 11, 2021

CVE-2021-20090 Not Affected

Vendor Statement

We have not received a statement from the vendor.

D-Link Systems Inc. __ Unknown

Notified: 2021-08-10 Updated: 2021-09-06

Statement Date: August 31, 2021

CVE-2021-20090 Unknown

Vendor Statement

D-Link US SIRT,

After full investigation, D-Link has confirmed that no D-Link product are affected by this issue.

Regards, [email protected] William Brown D-Link US SIRT

References

  • [None Applicable](<None Applicable>)

A10 Networks Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

ACCESS Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

ARRIS Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

ASUSTeK Computer Inc. Unknown

Notified: 2021-07-06 Updated: 2021-07-20 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

AT&T Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Alcatel-Lucent Enterprise Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Arcadyan Unknown

Notified: 2021-07-06 Updated: 2021-07-20 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Avaya Inc. Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Beeline Unknown

Notified: 2021-07-06 Updated: 2021-07-20 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Belkin Inc. Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

British Telecommunications Unknown

Notified: 2021-07-06 Updated: 2021-07-20 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Cisco Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Comcast Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Commscope Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Extreme Networks Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

F-Secure Corporation Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Hitachi Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Huawei Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Hughes Network Systems Inc. Unknown

Notified: 2021-07-06 Updated: 2021-07-20 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

IBM Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Linksys Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

MikroTik Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Mitel Networks Inc. Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Motorola Inc. Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

NETGEAR Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

NetComm Wireless Limited Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Nokia Unknown

Notified: 2021-08-10 Updated: 2021-08-10

Statement Date: August 10, 2021

CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Quagga Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Quantenna Communications Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Ruckus Wireless Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

SMC Networks Inc. Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

TDS Telecom Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

TP-LINK Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Technicolor Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Telus Unknown

Notified: 2021-07-08 Updated: 2021-07-20 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Ubiquiti Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Verizon Unknown

Notified: 2021-07-06 Updated: 2021-07-20 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

Vodafone Group Inc. Unknown

Notified: 2021-07-06 Updated: 2021-07-20 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

eero Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

pfSense Unknown

Notified: 2021-08-10 Updated: 2021-08-10 CVE-2021-20090 Unknown

Vendor Statement

We have not received a statement from the vendor.

View all 61 vendors __View less vendors __

References

Other Information

CVE IDs: CVE-2021-20090
Date Public: 2021-07-20 Date First Published:

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.975

Percentile

100.0%