CVE-2021-20090: Where the Buffalo Get Owned
On August 3rd, Tenable Security disclosed a vulnerability in a line of residential routers from Buffalo Technologies using firmware developed by Arcadyan. Three days later, researchers confirmed that attackers were actively exploiting vulnerable devices in an attempt to deploy malware.
As of August 12th, Censys identified 4,378 devices that match the fingerprint that Tenable published. Arcadyan devices respond with several distinguishing properties, including unique header values in HTTP responses and several SSL certificates, including:
Running a Censys certificate analysis on these three fingerprints confirms these certificates share common values and allow us to search for hosts in broader terms:
Given that many of the reports coming in are claiming that “millions” of devices are affected, it’s evident that Censys was only able to find a tiny fraction of these hosts listening on the public internet.
Since these manufacturers deal primarily in Europe and East Asia, devices Censys identified were in the areas seen in the geographic heatmap below.
In the following tables, we can see the majority of these devices are located in Japan (57% with 2,534 hosts), Spain (11% with 522 hosts), and Argentina (7% with 320 hosts)..
Full Timeline of Events
Initially, Tenable researchers reported the vulnerability to a single vendor, Buffalo, who confirmed the issue on February 24th and escalated to Buffalo’s office in Japan. It was around this time when Tenable discovered the vulnerability was not specific to Buffalo, but rather any device using firmware developed by the manufacturer Arcadyan.
Tenable researchers found the vulnerable code in a programming library shared across multiple vendors used by 13 ISPs across 11 countries and has been vulnerable for an estimated ten years.
Vulnerable devices can be compromised using a simple directory traversal exploit, allowing an attacker to modify the device’s configuration to enable shell access and bypass the authentication step altogether. Tenable has posted a detailed article on the entire exploitation process here.
Arcadyan confirmed the issues on April 25th and informed Tenable that a patch was in the works. When Tenable asked for a list of affected devices, Arcadyan went silent, and as it turns out, that list was rather extensive.
On August 6th, just three days after the report went public, Juniper Threat Labs confirmed that the bug is being actively used by a group of attackers who have executed similar attacks on home networking devices in the past to install the IoT botnet malware Mirai.
we have identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China.
— Juniper Threat Labs
Why does it matter?
Now that Juniper has confirmed attackers are attempting to use this vulnerability to install the Mirai botnet, unprotected devices may be unwittingly scanning and attacking other hosts, participating in orchestrated distributed denial of service attacks, and engaging in fraudulent activities.
What’s most alarming about this whole mess is the amount of time between public disclosure and confirmed active exploitation. Security research is not a one-way mirror, and when it comes to vulnerability discovery, always assume the bad-actors are monitoring the same intel feeds as defenders.
What do I do about it?
The list of vulnerable devices is still growing, and details are still emerging on the malware front. We cannot assume the average internet user keeps up with security trends and actively participates in patch management. The only remedy is a clear line of communication between service providers and their customers to upgrade these devices promptly.
- Immediately upgrade any devices you own that are found in CERT’s growing list of affected vendors.
- Assure all networking devices have up-to-date software.
- Do not expose router administration interfaces to the internet.
- Continually monitor your infrastructure manually with Censys Search, or automatically using Censys ASM to identify unintentionally exposed ports and services.
- CVE-2021-20090 on Mitre
- Bypassing Authentication on Arcadyan Routers with CVE-2021-20090 on Tenable’s Techblog
- CVE-2021-20090 Overview on Tenable.com
- Freshly Disclosed Vulnerability CVE-2021-20090 Exploited in the Wild on Juniper’s Blog
- Auth Bypass Bug Exploited, Affecting Millions of Routers on Threatpost