This Bug in Millions of Routers Can Turn Them into Zombies Without You Knowing

August 12, 2021 Matt Mills News 0

The router is one of the fundamental elements to receive Internet in our house and to connect devices to the network of networks. Telecommunications operators usually provide us with this equipment, although we can also choose to buy a model with better features in some cases. Be that as it may, it is vital that both the operator, the manufacturer and the customer always keep the router updated to the latest version to prevent cybercriminals from exploiting security flaws . Unfortunately, this is not what has happened with a failure in millions of routers that threatens to turn them into zombies.

Security firm Juniper Threat Labs continuously scans the network for malicious activity. A few days ago he discovered that he was taking advantage of a security flaw that has just been released. The vulnerability is known as CVE-2021-20090 and was made public on August 3. Only two days later, this activity was detected by cybercriminals. The vulnerability appears to affect millions of home routers from up to 17 manufacturers, including some carriers. They all have in common the Arcadyan firmware inside them.

Bug in Millions of Routers Can Turn Them into Zombies

Some Orange routers could be affected

The vulnerability allows bypassing the secure authentication of the device and taking control of it. The attacks appear to come from the Chinese city of Wuhan and are trying to deploy a variant of the Mirai botnet to turn these devices into a zombie army to carry out large-scale attacks . Since most people don’t bother to upgrade their router, this is a very simple and cheap attack to implement.

The list of manufacturer, model and version of the affected firmware is as follows:

  • ADB ADSL wireless IAD router – 1.26SR-3P
  • Arcadyan ARV7519 – 00.96.00.96.617ES
  • Arcadyan VRV9517 – 6.00.17 build04
  • Arcadyan VGV7519 – 3.01.116
  • Arcadyan VRV9518 – 1.01.00 build44
  • ASMAX BBR-4MG / SMC7908 ADSL – 0.08
  • ASUS DSL-AC88U (Arc VRV9517) – 1.10.05 build502
  • ASUS DSL-AC87VG (Arc VRV9510) – 1.05.18 build305
  • ASUS DSL-AC3100 – 1.10.05 build503
  • ASUS DSL-AC68VG – 5.00.08 build272
  • Beeline Smart Box Flash – 1.00.13_beta4
  • British Telecom WE410443-SA – 1.02.12 build02
  • Buffalo WSR-2533DHPL2 – 1.02
  • Buffalo WSR-2533DHP3 – 1.24
  • Buffalo BBR-4HG –
  • Buffalo BBR-4MG – 2.08 Release 0002
  • Buffalo WSR-3200AX4S – 1.1
  • Buffalo WSR-1166DHP2 – 1.15
  • Buffalo WXR-5700AX7S – 1.11
  • Deutsche Telekom Speedport Smart 3 – 010137.4.8.001.0
  • HughesNet HT2000W – 0.10.10
  • KPN ExperiaBox V10A (Arcadyan VRV9517) – 5.00.48 build453
  • KPN VGV7519 – 3.01.116
  • O2 HomeBox 6441 – 1.01.36
  • Orange LiveBox Fiber (PRV3399) – 00.96.00.96.617ES
  • Skinny Smart Modem (Arcadyan VRV9517) – 6.00.16 build01
  • SparkNZ Smart Modem (Arcadyan VRV9517) – 6.00.17 build04
  • Telecom (Argentina) Arcadyan VRV9518VAC23-A-OS-AM – 1.01.00 build44
  • TelMex PRV33AC – 1.31.005.0012
  • TelMex VRV7006 –
  • Telstra Smart Modem Gen 2 (LH1000) – 0.13.01r
  • Telus WiFi Hub (PRV65B444A-S-TS) – v3.00.20
  • Telus NH20A – 1.00.10debug build06
  • Verizon Fios G3100 – 2.0.0.6
  • Vodafone EasyBox 904 – 4.16
  • Vodafone EasyBox 903 – 30.05.714
  • Vodafone EasyBox 802 – 20.02.226

As we can see, the ruling affects multiple international providers such as British Telecom, Deutsche Telecom, Orange, O2 (Telefónica UK) or Vodafone , in addition to fiber and ADSL models. Apparently, in the list we have two Orange routers. The Arcadyan ARV7519 would refer to the LiveBox for ADSL while the Orange LiveBox Fiber (PRV3399) would be one of the last models launched by the operator.

In both cases, the affected version is 00.96.00.96.617ES . In case of having it, we will have to update the device. From what it seems, by entering the URL http://192.168.1.1/images/…%2findex.htm we can know if the router is affected. If we receive a 404 error, there will be no problem.