Routers and Modems Running Arcadyan Firmware Are Under Attack

Routers and modems running a version of the Arcadyan firmware, including devices from ASUS, Orange, Vodafone, and Verizon, are currently under attack from a threat actor attempting to ensnare the devices into their DDoS botnet. From a report: First spotted by security firm Bad Packets earlier this week and confirmed by Juniper Labs on Friday, the attacks are exploiting a vulnerability tracked as CVE-2021-20090.

Discovered by Tenable security researcher Evan Grant earlier this year, the vulnerability resides in the firmware code produced by Taiwanese tech firm Arcadyan. Grant says the vulnerability has existed in the code for at least ten years and has made its way into the firmware of at least 20 router and modem models sold by 17 different vendors, which based their products on a white-label version of old Arcadyan devices. The list of affected devices includes some of today's biggest router vendors and internet service providers, such as ASUS, Orange, Vodafone, Telstra, Verizon, Deutsche Telekom, British Telecom, and many others.

Patched in April

[bobstreo]

It's freaking August. When do you patch/update your own hardware?

Re:Patched in April

[ArchieBunker]

Given the update frequency of these devices, how would anyone ever know firmware is available? To most people these are appliances that simply work. My old Fios modem was running for 10 years and I don't think Verizon ever offered an update.

Re:

[UnknowingFool]

Also there are complications since some of these devices are over 10 years old. For example, the semi-automated update function on my ASUS router has stopped working for over a year now. It appears the router cannot find the correct ASUS webpage/server. I can download the firmware and patch manually, but most consumers may not know to check or how to get the latest update.

Re:

[jeromef]

For some of these devices at least there is a firmware check/update on power up (the ones that are provided by ISPs). For the others... I agree with you. I fail to remember the last time I checked for an update for my Wi-Fi router...

Re:

[Thelasko]

For some of these devices at least there is a firmware check/update on power up (the ones that are provided by ISPs).

A lot of the equipment for VoIP has a built in UPS. So, even those never get updated.

Re:

[DontBeAMoran]

What about those with a built in FedEx?

Re:

[Thelasko]

What about those with a built in FedEx?

I think they'll be okay. However, due to cutbacks, those with built in USPS will have their updates delayed significantly.

Re:

[AmiMoJo]

Should be checked every week, and the vendor able to set a flag that says "download this without user interaction at 1AM or the next time you turn on". Obviously have an override for people who want it, but most users never touch their router config.

A lot more router exploits this year. Please updat

[raymorris]

I think one reason that to even people on Slashdot don't update is they either a) don't see a notification about it or b) aren't sure if the notification applies to their model.

Over the last few months, there have been several vulnerabilities being actively exploited in a wide variety of routers and modems. I haven't actually done the calculation, but I'd guess that about half of actively-used routers are vulnerable to one. Meaning yours probably is.

If you haven't updated in the last few months, your router

Re:

[jeromef]

I have since ditched that router, now the only one left in the home is the one provided by my ISP.

Re:

[Thelasko]

When do you patch/update your own hardware?

When I read a scary story on Slashdot about unpatched devices running amok.

Seriously, I don't log into my router unless there's a problem. Since I stopped buying equipment from the clearance bin, that hasn't been very often.

Re:

[Thelasko]

When I read a scary story on Slashdot about unpatched devices running amok.

When a router suddenly starts burning DVDs, it gets your attention!

Re:

[aitikin]

It's freaking August. When do you patch/update your own hardware?

I think I patch/update firmware on my personal router significantly more often than most end users. I just did the latest update, which apparently only posted 2 weeks ago. Doing some digging, pretty sure the version I had prior was from at least January if not Q3 of last year.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Solandri]

Even for products which have automatic updates, people frequently disable it because of

• a tendency for vendors to remove features in updates. The only way to guarantee that the features you're currently enjoying will remain, is to not update.
• "If it works, don't touch it" syndrome. Too often an update introduces new bugs, which for a router are a PITA to track down since you often lose Internet access while you're troubleshooting the problem.

What's really needed is to separate security updates from featu

Re:

[tlhIngan]

It's freaking August. When do you patch/update your own hardware?

I'd venture to say it's because they can't.

The bug might be fixed upstream, but then it has to be pushed downstream to the manufacturers who have to release it ot the ISPs and all that fun stuff.

In other words, like Android, and chances of it actually getting the updates are 0.

Re:

[sjames]

You mean risk the thing breaking or magically losing functionality that the vendor no longer wants to support?

Re:

[bobstreo]

It's freaking August. When do you patch/update your own hardware?

LOL@ the trolls voting this as a troll post.

FU if you're too stupid to check your router for updates.

The only pain for me is recreating "special" rules for routing for my internal network, since they don't seem to survive updates,even with "backups'

And a lot of that is setting internal devices with permanent IP addresses like my NAS, TV, and Ebook server.

One firmware provider??

[memory_register]

That is a lot of manufacturers for a single firmware provider. We shame agribusiness for mono cropping since it creates a single point of vulnerability. Why do we allow it firmware?

This should be the Telco's responsibility

[TomGreenhaw]

To expect consumers to stay on top of updating their systems is folly. I use Verizon and I expect them to include device management as part of their service. Telecoms have the expertise and toolset needed to provide me with a safe solution. I've got enough to worry about...

Almost all ADSL wireless IAD routers ...

[tekram]

..critical authentication bypass issue (CVE-2021-20090)affecting home routers with Arcadyan firmware.

Almost all of them ADSL wireless IAD routers, among them [redpacketsecurity.com]:

ASUS DSL-AC88U (Arc VRV9517) 1.10.05 build502 ASUS DSL-AC87VG (Arc VRV9510) 1.05.18 build305 ASUS DSL-AC3100 1.10.05 build503 ASUS DSL-AC68VG 5.00.08 build27

Re:

[See Attached]

I put in a call to ASUS tech support to make sure my RT-AC88U is not subject to this as well. Paranoid? YES!! Appropriately so! Will reply with their response.

It's not just home consumers

[zeeky boogy doog]

In the last few years I've bought five managed L3 Ethernet switches, four of them 10 gigabit and one 100 gigabit... Two of them, the seller was kind enough to update the firmware, but the rest required multiple update-reboot cycles.

We've also gotten two Mellanox EDR switches... One was relatively new from factory & I updated through two versions. The other came from a well known supplier of computer equipment, and its MLNX-OS (rebadged Linux) was so old it *didn't even recognize the transceivers* I p