{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/914124#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nA path traversal vulnerability exists in numerous routers manufactured by multiple vendors using Arcadyan based software. This vulnerability allows an unauthenticated user access to sensitive information and allows for the alteration of the router configuration.\r\n### Description\r\nThe vulnerability, identified as [CVE-2021-20090](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20090), is a path traversal vulnerability.  An unauthenticated attacker is able to leverage this vulnerability to access resources that would normally be protected. The researcher initially thought it was limited to one router manufacturer and published their [findings](https://www.tenable.com/security/research/tra-2021-13), but then discovered that the issue existed in the Arcadyan based software that was being used in routers from multiple vendors.\r\n\r\n### Impact\r\nSuccessful exploitation of this vulnerability could allow an attacker to access pages that would otherwise require authentication. An unauthenticated attacker could gain access to sensitive information, including valid request tokens, which could be used to make requests to alter router settings.\r\n### Solution\r\nThe CERT/CC recommends updating your router to the latest available firmware version. It is also recommended to disable the remote (WAN-side) administration services on any SoHo router and also disable the web interface on the WAN. \r\n\r\n### Acknowledgements\r\nThanks to the reporter Evan Grant from Tenable.\r\n\r\nThis document was written by Timur Snoke.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"No Brocade Fibre Channel Products from Broadcom products are currently known to be affected by this vulnerability.","title":"Vendor statment from Brocade Communication Systems"},{"category":"other","text":"a detailed List and Product Advisory is being created, as well as fixes.","title":"Vendor statment from Deutsche Telekom"},{"category":"other","text":"D-Link US SIRT,\r\n\r\nAfter full investigation, D-Link has confirmed that no D-Link product are affected by this issue.\r\n\r\nRegards,\r\nsecurity@dlink.com\r\nWilliam Brown\r\nD-Link US SIRT","title":"Vendor statment from D-Link Systems Inc."},{"category":"other","text":"VxWorks are not affect as we do not use  Arcadyan-based routers and modems","title":"Vendor statment from Wind River"},{"category":"other","text":"Juniper Networks Junos OS and Junos OS Evolved are not affected by CVE-2021-20090, CVE-2021-20091, and CVE-2021-20092.","title":"Vendor statment from Juniper Networks"},{"category":"other","text":"AVM does not utilize Arcadyan components.","title":"Vendor statment from AVM GmbH"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/914124"},{"url":"https://www.tenable.com/security/research/tra-2021-13","summary":"https://www.tenable.com/security/research/tra-2021-13"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20090","summary":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20090"},{"url":"https://www.buffalo.jp/news/detail/20210427-03.html","summary":"https://www.buffalo.jp/news/detail/20210427-03.html"},{"url":"https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2","summary":"https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2"},{"url":"https://www.buffalo.jp/news/detail/20210427-03.html","summary":"Reference(s) from vendor \"Buffalo Technology\""},{"url":"https://en.avm.de/security/","summary":"Reference(s) from vendor \"AVM GmbH\""}],"title":"Arcadyan-based routers and modems vulnerable to authentication bypass","tracking":{"current_release_date":"2021-10-07T20:26:50+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#914124","initial_release_date":"2021-07-20 20:21:21.698577+00:00","revision_history":[{"date":"2021-10-07T20:26:50+00:00","number":"1.20211007202650.15","summary":"Released on 2021-10-07T20:26:50+00:00"}],"status":"final","version":"1.20211007202650.15"}},"vulnerabilities":[{"title":"Path Traversal leading to Authentication Bypass.","notes":[{"category":"summary","text":"Path Traversal leading to Authentication Bypass"}],"cve":"CVE-2021-20090","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#914124"}],"product_status":{"known_affected":["CSAFPID-f8bc17c6-3a71-11f1-a172-0afffb3ee71d","CSAFPID-f8bc4d86-3a71-11f1-a172-0afffb3ee71d"],"known_not_affected":["CSAFPID-f8b70bf0-3a71-11f1-a172-0afffb3ee71d","CSAFPID-f8b7608c-3a71-11f1-a172-0afffb3ee71d","CSAFPID-f8b7b38e-3a71-11f1-a172-0afffb3ee71d","CSAFPID-f8b7f4d4-3a71-11f1-a172-0afffb3ee71d","CSAFPID-f8b82d78-3a71-11f1-a172-0afffb3ee71d","CSAFPID-f8b859f6-3a71-11f1-a172-0afffb3ee71d","CSAFPID-f8b88700-3a71-11f1-a172-0afffb3ee71d","CSAFPID-f8b8b540-3a71-11f1-a172-0afffb3ee71d","CSAFPID-f8b8ee8e-3a71-11f1-a172-0afffb3ee71d","CSAFPID-f8b91c6a-3a71-11f1-a172-0afffb3ee71d","CSAFPID-f8b94744-3a71-11f1-a172-0afffb3ee71d","CSAFPID-f8b97d54-3a71-11f1-a172-0afffb3ee71d","CSAFPID-f8b9c69c-3a71-11f1-a172-0afffb3ee71d","CSAFPID-f8ba68fe-3a71-11f1-a172-0afffb3ee71d","CSAFPID-f8baa508-3a71-11f1-a172-0afffb3ee71d","CSAFPID-f8bb2140-3a71-11f1-a172-0afffb3ee71d","CSAFPID-f8bb6b8c-3a71-11f1-a172-0afffb3ee71d","CSAFPID-f8bbe562-3a71-11f1-a172-0afffb3ee71d"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Juniper Networks","product":{"name":"Juniper Networks Products","product_id":"CSAFPID-f8b70bf0-3a71-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Zyxel","product":{"name":"Zyxel Products","product_id":"CSAFPID-f8b7608c-3a71-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Wind River","product":{"name":"Wind River Products","product_id":"CSAFPID-f8b7b38e-3a71-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"LANCOM Systems GmbH","product":{"name":"LANCOM Systems GmbH Products","product_id":"CSAFPID-f8b7f4d4-3a71-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Peplink","product":{"name":"Peplink Products","product_id":"CSAFPID-f8b82d78-3a71-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"AVM GmbH","product":{"name":"AVM GmbH Products","product_id":"CSAFPID-f8b859f6-3a71-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Synology","product":{"name":"Synology Products","product_id":"CSAFPID-f8b88700-3a71-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Check Point","product":{"name":"Check Point Products","product_id":"CSAFPID-f8b8b540-3a71-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"dd-wrt","product":{"name":"dd-wrt Products","product_id":"CSAFPID-f8b8ee8e-3a71-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Brocade Communication Systems","product":{"name":"Brocade Communication Systems Products","product_id":"CSAFPID-f8b91c6a-3a71-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Dell","product":{"name":"Dell Products","product_id":"CSAFPID-f8b94744-3a71-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Sierra Wireless","product":{"name":"Sierra Wireless Products","product_id":"CSAFPID-f8b97d54-3a71-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-f8b9c69c-3a71-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Actiontec","product":{"name":"Actiontec Products","product_id":"CSAFPID-f8ba68fe-3a71-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"ADTRAN","product":{"name":"ADTRAN Products","product_id":"CSAFPID-f8baa508-3a71-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"D-Link Systems Inc.","product":{"name":"D-Link Systems Inc. Products","product_id":"CSAFPID-f8bae40a-3a71-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"OpenWRT","product":{"name":"OpenWRT Products","product_id":"CSAFPID-f8bb2140-3a71-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Cradlepoint","product":{"name":"Cradlepoint Products","product_id":"CSAFPID-f8bb6b8c-3a71-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Nokia","product":{"name":"Nokia Products","product_id":"CSAFPID-f8bbb060-3a71-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"F5 Networks Inc.","product":{"name":"F5 Networks Inc. Products","product_id":"CSAFPID-f8bbe562-3a71-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Deutsche Telekom","product":{"name":"Deutsche Telekom Products","product_id":"CSAFPID-f8bc17c6-3a71-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Buffalo Technology","product":{"name":"Buffalo Technology Products","product_id":"CSAFPID-f8bc4d86-3a71-11f1-a172-0afffb3ee71d"}}]}}