"Decade-Old Router Bug Could Affect Millions of Devices"

Security researchers have discovered a 12-year-old router vulnerability that they have warned may affect millions of devices globally.  Evan Grant, a researcher at Tenable, initially found the authentication bypass vulnerability in devices from manufacturer Buffalo.  However, during the disclosure process, he discovered that the bug actually existed in the underlying firmware from Taiwanese firm Arcadyan.  All of the tested devices shared at least one vulnerability: the path traversal, which allows an attacker to bypass authentication, now assigned as CVE-2021–20090.  The researchers stated that this flaw appears to be shared by almost every Arcadyan-manufactured router/modem, including devices that were originally sold as far back as 2008.  The issue may affect millions of devices manufactured by 17 different vendors, used in at least 11 countries, including Australia, Germany, Japan, Mexico, New Zealand, and the US.  The vulnerability in question has a CVSS score of 8.1, making it high severity. If exploited, it could allow an unauthenticated, remote attacker to bypass authentication. Grant also found two other bugs in Buffalo routers an improper access control flaw CVE-2021-20092 and a configuration file injection vulnerability CVE-2001-20091.
 

Infosecurity reports: "Decade-Old Router Bug Could Affect Millions of Devices"