Tenable has identified vulnerabilities in Arcadyan routers and modems demonstrating how flaws affecting a shared library can become increasingly difficult to report, track and fix due to the number of vendors involved in the supply chain. Tenable disclosed multiple vulnerabilities in a series of Buffalo consumer routers, marketed and sold in Japan. During the disclosure process, it became apparent a path traversal/ authentication bypass flaw was not unique to the Buffalo series of routers but was instead a vulnerability in the underlying Arcadyan software.
The discovery of a 12-year-old path traversal vulnerability allows an attacker to bypass authentication to the web interface, and leverage it to access other devices on a home or corporate network. Tenable found that shared libraries used across a number of devices have led to one persistent vulnerability being present in routers provided by dozens of manufacturers.
The complexity of modern software, its increasing reliance on the reuse of code and shared libraries from third parties, the lack of transparency around those third parties’ security practices, and the relationships which form that supply chain are creating novel problems for the security industry to consider, Tenable said.
“Tracking supply chain vulnerabilities is difficult enough when the relationships between the affected parties are clearly defined. Uncertainty about which vendors are part of Arcadyan’s supply chain only adds to that difficulty and makes it more likely that some vendors are missed in the discovery, reporting, and disclosure process,” Tenable wrote in a whitepaper.
The path traversal vulnerability in the web interfaces of networking devices manufactured by Arcadyan, including Buffalo WSR-2533DHPL2 firmware, could allow unauthenticated remote attackers to bypass authentication, according to Tenable. If exploited, the path traversal vulnerability could allow someone to alter the device configuration to serve malicious content to end-users or pivot to attack devices connected to the router’s LAN.
Tenable attempted to fingerprint as many devices as possible, using a variety of tools like BinaryEdge, Censys, and Shodan to try to identify common patterns in the web interface’s landing pages and leveraging sites to try to identify devices manufactured by Arcadyan.
Tenable also tried to obtain what devices it could for testing, within reason, but many of the affected devices are provided directly to consumers by ISPs and are not for sale. Additionally, there are thousands of affected devices that are no longer produced or sold, with some being at least 10 years old. These factors make the devices difficult to obtain for testing and less likely to receive updates from the vendors that released them.
Tenable has been working with the CERT Coordination Center to identify and report as many affected devices as possible. At the time of publication, there appeared to be at least 10,000 of the vulnerable devices visible on the internet.
The path traversal vulnerability has been assigned CVE-2021-20090 with a CVSSv3 base score of 8.1. Common Vulnerabilities and Exposures (CVE) is a system that provides a method for publicly sharing information on cybersecurity vulnerabilities and exposures, to make it easier to share information about known vulnerabilities across organizations.
If the attacker is motivated, they could also leverage the authentication bypass to get access to features more likely to lead them to another vulnerability, like CVE-2021-20091, a configuration injection vulnerability discovered in the initial Buffalo router models researched, which could grant an attacker root access to the device. Given the current trend for a remote, home-based, workforce, this directly affects consumers, as well as has the potential to expose organizations to further uncontrolled risk.
Arcadyan delivers products that enable broadband access, multimedia, and wireless infrastructure.
Tenable researcher Evan Grant detailed in a Medium post how he disassembled Buffalo devices and used a shell offered up on Universal Asynchronous Receiver/Transmitter (UART) to help find a couple of bugs that could let users bypass authentication to the web interface and enable a root BusyBox shell on telnet. “At the end, we will also take a quick look at how I discovered that the authentication bypass vulnerability was not limited to the Buffalo routers, and how it affects at least a dozen other models from multiple vendors spanning a period of over ten years,” he wrote in the post.
It is fairly common for devices like the Buffalo routers to offer up a shell such as the UART on the circuit board. Manufacturers often leave test points or unpopulated pads on the circuit board for accessing UART, which are often used for debugging or testing the device during manufacture, Grant added.
Tenable discovered multiple vulnerabilities in routers manufactured by Arcadyan. During the disclosure process for the issues discovered in the Buffalo routers, Tenable found that the path traversal vulnerability affected many more devices, as the root cause of the vulnerability exists in the underlying Arcadyan firmware.
Two additional vulnerabilities, CVE-2021-20091 and CVE-2021-20092, have only been confirmed on Buffalo WSR-2533 models. CVE-2021-20091 has been assigned for a configuration file injection vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware, which does not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code execution. CVE-2021-20092 has been assigned for improper access control in the web interfaces of Buffalo WSR-2533DHPL2 firmware, which does not properly restrict access to sensitive information from an unauthorized attacker.
The common denominator is that all of the devices were manufactured by Arcadyan, Grant wrote. In hindsight, it should have been obvious to look for more affected devices outside of Buffalo’s product line given how much of the Buffalo firmware appeared to have been built by Arcadyan. However, after obtaining and testing a number of Arcadyan-manufactured devices, it also became clear that not all of them were created equally, and the devices weren’t always affected in exactly the same way, he added.
That said, all of the devices that they were able to test or have tested via third parties shared at least one vulnerability: The path traversal which allows an attacker to bypass authentication, now assigned as CVE-2021–20090, according to Grant. “This appears to be shared by almost every Arcadyan-manufactured router/modem we could find, including devices which were originally sold as far back as 2008,” he added.
On Apr. 21, Tenable reported the path traversal vulnerability to four additional vendors, including Hughesnet, O2, Verizon, and Vodafone. Tenable reported the issues to Arcadyan on Apr. 22. As time went on it became clear that many more vendors were affected and contacting and tracking them all would become very difficult, and so on May 18, Tenable reported the issues to the CERT Coordination Center for help with that process.
Tenable has advised customers to seek updates and mitigation information from their respective vendors.