Headline
CVE-2020-9420: Vulnerabilities found on Arcadyan Routers - Asher Davila L.
The login password of the web administrative dashboard in Arcadyan Wifi routers VRV9506JAC23 is sent in cleartext, allowing an attacker to sniff and intercept traffic to learn the administrative credentials to the router.
Vulnerabilities found on Arcadyan Routers - Asher Davila L.
The two vulnerabilities were found by Asher Davila L. in Arcadyan wireless modems with model number VRV9506JAC23. It is probable that they are also present in other Arcadyan models as well because their web interfaces are similar and they have common features. The following are the two vulnerabilities we found:
- CVE-2020-9420: Cleartext transmission of sensitive information
- CVE-2020-9419: Stored cross-site scripting
In combination, these vulnerabilities pose a significant risk: Malicious users on the network can sniff wireless modem user credentials. They can then use the sniffed credentials to access the web interface and inject persistent malicious scripts into it. It is recommended that users contact their ISPs to request a router that implements the usage of secure protocols such as HTTPS instead of HTTP.
According to Shodan, there are at least 19,887 Arcadyan devices exposed to the internet in countries such as Japan, China, United States, Germany, United Kingdom.
Figure 1. Shodan Search
Figure 2. Countries where Arcadyan routers are present according to Shodan
Additionally, some of the largest ISPs (Internet Service Providers) in Latin America and Europe provide this device to their customers as their default modem. e.g, this router is distributed by Telmex, the largest ISP of Mexico.
Disclosure Timeline
- November 11, 2019 - contacted the US CERT to report the vulnerability.
- February 25, 2020 - contacted a partner that is a vendor of the product. The vendor provided a contact to report the vulnerability.
- February 25, 2020 - communicated the vulnerabilities to the manufacturer.
Conclusion
In summary, the Arcadyan wireless modem has two vulnerabilities that can be used together to compromise the device and inject malicious code. The first is the use of an insecure protocol—HTTP instead of HTTPS—which allows attackers to capture credentials. The second vulnerability is the lack of input validation, which allows attackers to inject malicious code.