12-year-old authentication bypass vulnerability affects 20 router models

Information security experts report the discovery of an authentication evasion vulnerability that would allow threat actors to compromise the networks to which at least 20 different router models connect. According to expert Evan Grant from security firm Tenable, the vulnerability was described as a critical path traversal error tracked as CVE-2021-20090 and received a score of 9.8/10 according to the Common Vulnerability Scoring System (CVSS).

The expert mentioned that the flaw has existed for at least the past 12 years at least on Buffalo routers, specifically in Arcadyan-based web interface software.

In his research, the expert mentions that one of the main features analyzed in any web application is the management of the authentication process. Grant discovered that the bypass_check() function only checks for as many bytes as there are in bypass_list strings.

This implies that when users try to access http://router/images/someimage.png, the comparison matches because /images/ is on the skip list, because the URL being attempted begins with /images/.

Grant mentions that the bypass_check() function does not correctly check subsequent strings, such as ‘someimage.png’: “If, for example, we try to get to /images/.. %2finfo.html, the /info URL.html typically contains all the good LAN/WAN information when we first log on to the device, but returns unauthenticated users to the login screen.”

During testing, the researcher managed to exploit the vulnerability to evade authentication, allowing unauthenticated users to access websites they should not access. Threat actors could also access httokens to send GET/POST requests for sensitive information, gaining the ability to make configuration changes.

For Buffalo routers, the problem was fixed on Buffalo WSR-2533DHPL2 devices, prior to firmware version v1.02, in addition to WSR-2533DHP3 with firmware v1.24.

After confirming that the flaw affected Buffalo routers, the researcher revealed that the flaw also resides in at least 20 other routers: “The flaw appears to affect other routers manufactured by Arcadyan, including some originally sold in 2008. This report should be taken seriously, as these devices are used by thousands of users worldwide.”

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.