Research from Tenable has highlighted an industry-wide security challenge of manufacturers reusing vulnerable software code.
It follows Tenable Research’s discovery of a 12-year-old vulnerability [CVE-2021-20090] that has potentially left millions of routers exposed across dozens of manufacturers. The sheer number of vendors and devices impacted draws attention to an industry-wide problem: the significant downstream effects of reused vulnerable software code.
Tenable has determined that the path traversal/authentication bypass flaw affects at least 20 devices across 17 different vendors in 11 countries, including Internet Service Providers (ISPs) used in Argentina, Australia, Canada, Germany, Japan, Mexico, Netherlands, New Zealand, Russia, Spain, and the US.
If exploited, it could allow someone to alter the device configuration to serve malicious content to end-users or pivot to attack devices connected to the router’s LAN.
If the attacker is motivated, they could also leverage the authentication bypass to get access to features more likely to lead them to another vulnerability, like CVE-2021-20091 — a configuration injection vulnerability discovered in the initial Buffalo router models researched, which could grant an attacker root access to the device.
Given the current trend for a remote, home-based, workforce, this not only impacts consumers but has the potential to expose organizations to further uncontrolled risk.
“Consumers shouldn’t have to worry that their ISP-provided device will leave them, or their employers, open to attack,” said Evan Grant, staff research engineer at Tenable. “The vendors affected should be taking steps to mitigate the impact of these vulnerabilities on themselves, and their customers. Beyond that, collaboration across all stakeholders — manufacturers, vendors, security researchers — is imperative to overcome the difficulties of reporting vulnerabilities found in shared software libraries and remediate all affected products efficiently.”