Executive Summary
Summary | |
---|---|
Title | Arcadyan-based routers and modems vulnerable to authentication bypass |
Informations | |||
---|---|---|---|
Name | VU#914124 | First vendor Publication | 2021-07-20 |
Vendor | VU-CERT | Last vendor Modification | 2021-10-07 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | |||
---|---|---|---|
Overall CVSS Score | 9.8 | ||
Base Score | 9.8 | Environmental Score | 9.8 |
impact SubScore | 5.9 | Temporal Score | 9.8 |
Exploitabality Sub Score | 3.9 | ||
Attack Vector | Network | Attack Complexity | Low |
Privileges Required | None | User Interaction | None |
Scope | Unchanged | Confidentiality Impact | High |
Integrity Impact | High | Availability Impact | High |
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
OverviewA path traversal vulnerability exists in numerous routers manufactured by multiple vendors using Arcadyan based software. This vulnerability allows an unauthenticated user access to sensitive information and allows for the alteration of the router configuration. DescriptionThe vulnerability, identified as CVE-2021-20090, is a path traversal vulnerability. An unauthenticated attacker is able to leverage this vulnerability to access resources that would normally be protected. The researcher initially thought it was limited to one router manufacturer and published their findings, but then discovered that the issue existed in the Arcadyan based software that was being used in routers from multiple vendors. ImpactSuccessful exploitation of this vulnerability could allow an attacker to access pages that would otherwise require authentication. An unauthenticated attacker could gain access to sensitive information, including valid request tokens, which could be used to make requests to alter router settings. SolutionThe CERT/CC recommends updating your router to the latest available firmware version. It is also recommended to disable the remote (WAN-side) administration services on any SoHo router and also disable the web interface on the WAN. AcknowledgementsThanks to the reporter Evan Grant from Tenable. This document was written by Timur Snoke. |
Original Source
Url : https://kb.cert.org/vuls/id/914124 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25) |
Alert History
Date | Informations |
---|---|
2021-10-08 00:17:42 |
|
2021-09-23 17:17:42 |
|
2021-09-06 21:18:00 |
|
2021-08-18 17:17:40 |
|
2021-08-16 17:17:40 |
|
2021-08-12 17:17:41 |
|
2021-08-11 17:17:42 |
|
2021-08-10 21:17:58 |
|
2021-08-04 17:17:35 |
|
2021-08-03 17:17:38 |
|
2021-07-21 00:17:38 |
|