Fios G3100 Router CVE-2021-20090 Flaw
KDnVB
Enthusiast - Level 3

Read that the G3100 with firmware 2.0.0.6 requires an update to address a web access flaw.  Anything on when the firmware will be updated?                                                                  https://www.tomsguide.com/news/arcadyan-router-malware

0 Likes
1 Solution

Correct answers
Re: Fios G3100 Router CVE-2021-20090 Flaw
Cang_Household
Community Leader
Community Leader

@VerizonFIOS4783 wrote:

However, they do not really protect the router


The documented attack leverages on the HTTP service. If the attacker cannot even access the HTTP service (i.e. remote administration disabled), how could the attacker launch an attack?

A new firmware 3.1.0.12 begins rolling out last Tuesday, and will continue to the end of the month.

View solution in original post

Re: Fios G3100 Router CVE-2021-20090 Flaw
Cang_Household
Community Leader
Community Leader

The firmware update will be pushed automatically over a certain period of time once it is ready.

For now, there are several existing remedies those may address the security vulnerability.

1) WAN Remote Administration over Port 443 is disabled by default. Attackers should not be able to initiate a HTTP request to the router at all. If you have Remote Administration enabled, please disable it in Remote Administration menu under the Advanced settings. The security vulnerability seems to surround the web-based administrative interface. Disable the web admin interface on WAN should be a prime remedy.

2) WAN ICMP Echo and Traceroute over UDP are enabled by default. To keep your router stealth over the Internet, you should disable them as well in the same menu as above.

3) Each device on your network should have a host based firewall enabled in addition to the firewall at your router. Once the router firewall is compromised from attack, host based firewall should start to block attacker's traffic as the second line of defense.

I hope this helps.

Re: Fios G3100 Router CVE-2021-20090 Flaw
VerizonFIOS4783
Enthusiast - Level 1

The mitigation steps posted by Cang_Houusehold are helpful, thank you.  However, they do not really protect the router, and this vulnerability is under active attack.  When will Verizon have the firmware update available?

0 Likes
Re: Fios G3100 Router CVE-2021-20090 Flaw
Cang_Household
Community Leader
Community Leader

@VerizonFIOS4783 wrote:

However, they do not really protect the router


The documented attack leverages on the HTTP service. If the attacker cannot even access the HTTP service (i.e. remote administration disabled), how could the attacker launch an attack?

A new firmware 3.1.0.12 begins rolling out last Tuesday, and will continue to the end of the month.