On August 11, Verizon updated its comments and a rough guide on how to check for firmware updates.
Millions of home Wi-Fi routers are under attack by botnet malware. This comes just one week after researchers wrote a blog post showing how to exploit a vulnerability in the router's firmware.
Researcher Evan Grant is not entirely to blame. He is the one who discovered the flaw (catalog number CVE-2021-20090) in January when he disassembled a Buffalo-branded router sold in Japan. After Tenable, the company Grant works for, reported it to Buffalo, a patch was released by Buffalo in April to fix the firmware flaw.
The problem is that at least 36 other routers sold by 20 companies have the same or very similar flaw, and firmware patches may not yet be available for all. Few people know that they need to update their router firmware in the same way they update their computers or cell phones.
Some of these routers may be rented to customers by Internet Service Providers (ISPs). In that case, the ISP would be responsible for updating the firmware.
Affected routers include models distributed by brands such as Asus, British Telecom, Buffalo, Deutsche Telekom, O2, Orange, SparkNZ, TelMex, Telstra, Telus, Verizon, and Vodafone. The models include those distributed by brands such as Telekom, O2, Orange, SparkNZ, TelMex, Telstra, Telus, Verizon, and Vodafone, and "could affect millions of devices worldwide," according to a blog post first posted by Tenable in April and a white paper subsequently released by Tenable.
Here is a complete list of the known affected models and affected firmware:
As can be inferred from the number of phone companies included among these brands, the majority of the affected models are Internet service providers giving or leasing their customers As can be inferred from the number of phone companies included among these brands, the majority of affected models are all-in-one models that combine a DSL gateway and a modem/router, which are given or leased by Internet service providers to their customers.
Others use Fios or cellular data connections to gain Internet access, almost all with some form of broadband modem rather than a stand-alone router that requires a separate modem to gain broadband access combined router.
All of these routers were manufactured by Arcadyan, a Taiwanese technology manufacturer, and distributed under other names as part of a "white label" agreement.
The exploit is called a "path traversal vulnerability," which means that attempts to remotely access certain files in the router's file system will lead to a tamperable file, allowing an attacker to control the router from a distance.
Unfortunately, if you lease or rent your home router or gateway from your ISP, your options are limited. In such a situation, if the ISP is one of the brands mentioned above, check the model number of the router to see if it matches the model mentioned.
Still, it is difficult to be sure because some ISPs do not list the actual model number on their units. Your best bet is to contact your ISP's customer service department and ask about this.
If you own the router and have some technical skills, you will need to access the administrative settings to verify the model number and firmware version. The quickest way to do this is to plug an Ethernet cable from your laptop into one of the router's Ethernet ports.
If your router is one of the models on this list and has older firmware, you will need to check for updated firmware. There is a general guide here on how to update your router's firmware, but the actual procedure varies by model.
Some newer routers may have a mechanism within the management interface to update themselves and others to check for firmware updates. You may need to go to the support website of the company whose name is listed on the router and see if you can download updates from there.
If you are already in the management interface, find out if you can disable remote access.
If you are already in the management interface, check if you can disable remote access. Turning it off will protect you from almost all router hacks that can be performed over the Internet.
One of the affected models appears to be the Verizon Fios G3100, a $300 Fios combination modem/router. I could not find a page on the Verizon website offering firmware updates, so I initiated a chat with a Verizon support rep.
The support rep bounced us into a chat with the technical team. The tech team insisted, "We guarantee that our equipment and service is secure at all levels," and said they would contact customers whose equipment was affected by the defect via text message.
In a chat, we asked the technician if the firmware on the Verizon Fios G3100 had been updated to fix the CVE-2021-20090 flaw. The technician replied that he did not have "in-depth knowledge" for that answer and gave us a general Verizon contact page.
We emailed the Verizon press representative and will update this article as soon as we receive a response.
Update: A Verizon representative issued the following statement:
"Our security team is actively addressing concerns about the recently reported router authentication bypass. Verizon will be providing software and/or firmware updates for Fios routers to address this issue. No action by the customer is required to receive this update.
It would have been a bit easier to find a web page with firmware updates for the four Asus models that Tenable mentioned as having potential vulnerabilities. Unfortunately, none of the four appear to have received new updates since at least December 2018.
Below are links to the firmware update pages for each model, in case you want to check back later: DSL-AC88U, DSL-AC87VG, DSL-AC3100, and DSL-AC68VG.
Grant reported on August 3 On August 6, researchers at network hardware maker Juniper Networks said a known malware crew has built Grant's technique into its arsenal and is using it to attack Arcadyan-based routers. Arcadyan-based routers, he said.
The malware crew infects routers with variants of the Mirai botnet, which was first discovered in the summer of 2016 and triggered several widespread attacks in the fall of that year. Once infected, routers function normally, but can be secretly used by criminals to send spam and run distributed denial-of-service (DDoS) attacks.
One of Buffalo's models, the WSR-2533DHPL2, has two other firmware flaws, and Tenable's blog post includes a proof-of-concept exploit. Buffalo has issued firmware updates for these as well.
"Vendors that sell devices do not necessarily manufacture them. . if a bug is found in the firmware of a consumer router, it could affect many vendors and devices, not just the vendor you are investigating."
.
Comments