This venerable security vulnerability has exposed millions of routers to attack

(Image credit: Shutterstock / song_about_summer)

 A 12-year-old security vulnerability may be affecting routers built by “dozens of manufacturers”, exposing millions of users worldwide. 

According to researchers from security firm Tenable, the CVE-2021-20090 vulnerability made its way into modern routers due to the reusing of old (and insecure) software code.

The experts believe it could affect at least 20 different devices across 17 different vendors, including Internet Service Providers (ISP) in Argentina, Australia, Canada, Germany, Japan, Mexico, Netherlands, New Zealand, Russia, Spain, and the US.

The vulnerability is a path traversal/authentication bypass, which allows attackers to reconfigure the target router and have it serve malicious content to end users. They could also use it to attack devices connected to the router’s Local Area Network (LAN). With a little additional motivation, the report states, the attackers could also use the authentication bypass to access features that could lead them to further vulnerabilities.

“Given the current trend for a remote, home based, workforce,” the report states, “this not only impacts consumers but has the potential to expose organizations to further uncontrolled risk.”

For Evan Grant, staff research engineer at Tenable, this is absolutely the vendors’ responsibility, and they now need to step up and take action.

“Consumers shouldn’t have to worry that their ISP-provided device will leave them, or their employers, open to attack,” he said. 

Vendor responsibility

“The vendors affected should be taking steps to mitigate the impact of these vulnerabilities on themselves, and their customers. Beyond that, collaboration across all stakeholders — manufacturers, vendors, security researchers — is imperative to overcome the difficulties of reporting vulnerabilities found in shared software libraries and remediate all affected products efficiently.”

But it’s not just the problem of a handful of vendors, the report concludes. This is an industry-wide problem, as there are “significant downstream effects” that come with reused vulnerable software code.

Small and medium-sized businesses, should they fall victim to these attacks, could end up losing sensitive data, as well as revenue. 

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.