Researchers at Tenable have discovered a 12-year-old flaw that has potentially left millions of routers exposed across dozens of manufacturers. If exploited, hackers could compromise these routers, commonly used in home networks, and potentially connected devices. The flaw exists in at least 20 router and modem models manufactured by 17 different vendors, used in at least 11 countries.
<p>The research leading to CVE-2021-20090 highlights a series of implementation weaknesses in the software powering a large number of internet routers. In this case, the software itself was created by Arcadyan and provided to the various device manufacturers through a supply chain relationship. Since that relationship was likely a commercial one, it’s likely that the device manufacturers employed a standard procurement model where the initial software was validated to their security requirements and any subsequent updates were accepted due to the trusted supplier status Arcadyan obtained. This process is very common in software supply chains, but also highlights a large risk that attackers are now targeting – the supplier/consumer trust model.</p>
<p>While the nature of the vulnerability associated with CVE-2021-20090 represents a well-known weakness, there is nothing to say that during the procurement vetting process that weakness was mitigated using methods that are no longer present in the current version of the software. And there-in lays the problem – cybersecurity assessments are made using best practices and threat models available at the time of the assessment. Any changes in configuration or threat landscape could convert an acceptable risk into critical issue, and most software doesn’t age gracefully. To minimise the impact of any software supply chain risk, organisations should review any software updates using the same standards they would apply to software from a new supplier, while also periodically reviewing existing software assets to ensure they meet current cyber security practices and are not simply deployed using a grandfathered view of the applications’ risks.</p>