Arcadyan Router Exploitations

 1title: Arcadyan Router Exploitations
 2id: f0500377-bc70-425d-ac8c-e956cd906871
 3status: test
 4description: Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.
 5references:
 6    - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
 7    - https://www.tenable.com/security/research/tra-2021-13
 8    - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild
 9author: Bhabesh Raj
10date: 2021/08/24
11modified: 2023/01/02
12tags:
13    - attack.initial_access
14    - attack.t1190
15    - cve.2021.20090
16    - cve.2021.20091
17    - detection.emerging_threats
18logsource:
19    category: webserver
20detection:
21    path_traversal:
22        # CVE-2021-20090 (Bypass Auth: Path Traversal)
23        cs-uri-query|contains: '..%2f'
24    config_file_inj:
25        cs-uri-query|contains|all:
26            # Chaining of CVE-2021-20090 (Bypass Auth) and CVE-2021-20091 (Config File Injection)
27            - '..%2f'
28            - 'apply_abstract.cgi'
29    noauth_list:
30        cs-uri-query|contains:
31            - '/images/'
32            - '/js/'
33            - '/css/'
34            - '/setup_top_login.htm'
35            - '/login.html'
36            - '/loginerror.html'
37            - '/loginexclude.html'
38            - '/loginlock.html'
39    condition: (path_traversal or config_file_inj) and noauth_list
40falsepositives:
41    - Unknown
42level: critical

References

• Bypassing Authentication on Arcadyan Routers with CVE-2021–20090 and rooting some Buffalo

  

  A walkthrough of my first experience in router hacking

  
  Read More

• Multiple Vulnerabilities in Buffalo and Arcadyan manufactured routers

  

  Tenable has discovered multiple vulnerabilities in routers manufactured by Arcadyan. During the disclosure process for the issues discovered in the Buffalo routers, Tenable discovered that CVE-2021-20090 affected many more devices, as the root cause of the vulnerability exists in the underlying Arcadyan firmware.  Please note that CVE-2021-20091 and CVE-2021-20092 have only been confirmed on Buffalo WSR-2533 models.

  
  Read More

• Freshly Disclosed Vulnerability CVE-2021-20090 Exploited in the Wild | Official Juniper Networks Blogs

  

  Juniper Threat Labs has discovered an active exploitation of the CVE-2021-20090 vulnerability. Learn more in this blog.

  
  Read More

Related rules

• ADSelfService Exploitation
• CVE-2010-5278 Exploitation Attempt
• CVE-2020-0688 Exchange Exploitation via Web Log
• CVE-2020-0688 Exploitation Attempt
• CVE-2020-10148 SolarWinds Orion API Auth Bypass