KZ-CERT service recommends updating Arcadyan routers
The KZ-CERT Computer emergency response team of STS JSC during the monitoring of the Kazakhstani segment of the Internet for the presence of information security threats, IP addresses potentially vulnerable to vulnerabilities in routers using software based on the manufacturer “Arcadyan” with the identifier CVE-2021-20090 were detected.
CVE-2021-20090 – this is a path-traversal vulnerability that leads to authentication bypass. The danger for users is that when used, an attacker can gain control of an infected device.
It is worth noting that the CVSS (Common Vulnerability Scoring System) vulnerability criticality score is 9.8 out of 10.
The vulnerability potentially affects millions of home routers (and other IoT devices using the same vulnerable codebase) manufactured by at least 17 vendors, according to research from Tenable. The common thread between these devices is the firmware of the manufacturer “Arcadyan”.
Successfully exploiting this vulnerability could allow an attacker to gain access to the pages that are behind the authentication form. An unauthenticated attacker can gain access to sensitive information, including request tokens, which can be used to make requests to change router settings.
In order to avoid possible attacks on routers from Arcadyan by the identified IP addresses in the Kazakhstan segment of the Internet, The KZ-CERT Computer emergency response team sent notifications about the threat to information security to telecom operators to notify customers, as well as directly to the owners of vulnerable routers.
The experts of the KZ-CERT Computer emergency response team recommend following the following rules:
• Update the routers from Arcadyan to the current version with fixed vulnerabilities;
• Check the server for possible “Path Traversal” attacks. When confirming the attack, we recommend changing passwords from accounts that could have been compromised;
• Check log files for third-party requests and anomalies;
• Disable remote administration services (from the WAN side) on any SoHo router, as well as disable the web interface in the WAN.
