Security issues and unpatched vulnerabilities in Wi-Fi devices like routers enable threat actors to infiltrate into other vulnerable IoT devices in the same network. An analysis from security firm Tenable uncovered a 12-year-old vulnerability in the web interface software of Arcadyan and Buffalo routers. Tracked as CVE-2021–20090, the vulnerability is a path traversal bug that allows a remote attacker to bypass authentication to the web interface and compromise the vulnerable devices, affecting millions of users globally.
Over 20 routers and modems across 17 different vendors were discovered, including 13 Internet Service Providers (ISPs) used in Argentina, the U.S., Australia, Canada, Germany, Japan, New Zealand, Mexico, Netherlands, Russia, and Spain. Almost all routers identified by Tenable are affected due to CVE-2021-20090. Attackers can leverage this vulnerability to obtain authorized access to other devices on the same home/corporate network.
“Consumers shouldn’t have to worry whether the device provided to them by their ISP is secure or vulnerable to attack. We’re reliant on providers to sell quality equipment that’s secure by design. Hopefully, the vendors affected by this vulnerability will take steps to mitigate the impact of these vulnerabilities on their products and customers,” said Evan Grant, staff research engineer at Tenable.
The Flaw Went Unnoticed for 12 Years
The vulnerability going unnoticed for more than a decade indicates that the manufacturers or vendors did not perform their due diligence before sending it to the consumer market. The researchers stated the issue could have been identified by a thorough review of the web interface code, which was not done in this case. If this vulnerability had been discovered by a cybercriminal, the damage could have been worse.
End Users at High Risk
The vulnerability has left millions of home and corporate routers at risk. The rise of consumer IoT devices enabled users to share their personal information with online businesses and services. The use of IoT and other remote working tools has been increased with the rise in distributed work culture. So, the CVE-2021–20090 flaw affects home and corporate networks, exposing organizations’ critical systems to supply chain attacks.
“This type of supply chain risk is particularly concerning given the prevalence of remote work. Consumer devices are being used to conduct business operations. Now, employees’ home networks are an extension of the corporate attack surface and home routers are the virtual gateway,” Grant added.