It’s easy to neglect our routers.
Even after they’re out of the box and configured – ideally after you’ve changed their default username and password – the most the device does is sit there alongside your modem, forever a blinking beacon on a shelf.
It isn't until a vulnerability surfaces, usually accompanied by the words "critical" or "bypass" that hopefully they command our attention.
That's the case this week as router owners are being urged to pay attention to a particularly troublesome path traversal vulnerability in routers (and modems) that run the Arcadyan firmware. A Taiwanese OEM of DSL routers, Arcadyan can be found in devices manufactured by ASUS, Orange, Vodafone, and Verizon, to name a few.
Researchers warned last week that attackers are actively exploiting the vulnerability, CVE-2021-20090, and that it can lead to an authentication bypass, something which of course can lead to device takeover.
While the CVE is new, the vulnerability isn't, it's actually existed in some form or another, in models from multiple vendors, for at least 10 years, according to Evan Grant, a staff research engineer for Tenable who uncovered the vulnerability and wrote about it earlier this month.
The security community doubled down on Tenable's outcry over the vulnerability last week when researchers with Juniper Threat Labs saw it being exploited via an IP address in China. Specifically, researchers saw attackers distributing a variant of the Mirai botnet via scripts.
“Given that most people may not even be aware of the security risk and won’t be upgrading their device anytime soon, this attack tactic can be very successful, cheap and easy to carry out,” the researchers wrote of the vulnerability.
What’s most likely, the researchers posit, is that a group there is periodically added new proof of concept exploits to its arsenal; over the past two months the group has been observed exploiting CVEs in D-Link routers, Cisco HyperFlex systems, and now potentially millions of home routers and modems.
While the exact number of vulnerable devices is uncertain, if the vulnerability is indeed 10 years old and found on devices that run on Arcadyan firmware - 37 different devices are listed on Tenable's advisory - it could have a far-reaching outcome.
As exploitation is clearly beginning to ramp up, if you have one of the potentially vulnerable routers - again, full list here - it's worth inquiring with the vendor on whether there are patches available.
In addition to updating your router to the latest firmware version, Carnegie Mellon University's CERT Coordination Center also recommends disabling any remote WAN-side administration services along with any web interfaces if they're present.