Jump to content
  • ASUS routers vulnerable to critical remote code execution flaws


    Karlston

    • 682 views
    • 2 minutes
     Share


    • 682 views
    • 2 minutes

    Three critical-severity remote code execution vulnerabilities impact ASUS RT-AX55, RT-AX56U_V2, and RT-AC86U routers, potentially allowing threat actors to hijack devices if security updates are not installed.

     

    These three WiFi routers are popular high-end models within the consumer networking market, currently available on the ASUS website, favored by gamers and users with demanding performance needs.

     

    The flaws, which all have a CVSS v3.1 score of 9.8 out of 10.0, are format string vulnerabilities that can be exploited remotely and without authentication, potentially allowing remote code execution, service interruptions, and performing arbitrary operations on the device.

     

    Format string flaws are security problems arising from unvalidated and/or unsanitized user input within the format string parameters of certain functions. They can lead to various issues, including information disclosure and code execution.

     

    Attackers exploit these flaws using specially crafted input sent to the vulnerable devices. In the case of the ASUS routers, they would target certain administrative API functions on the devices.

    The flaws

    The three vulnerabilities that were disclosed earlier today by the Taiwanese CERT are the following:

     

    1. CVE-2023-39238: Lack of proper verification of the input format string on the iperf-related API module ‘ser_iperf3_svr.cgi’.
    2. CVE-2023-39239: Lack of proper verification of the input format string in the API of the general setting function.
    3. CVE-2023-39240: Lack of proper verification of the input format string on the iperf-related API module ‘ser_iperf3_cli.cgi’.

     

    The above issues impact ASUS RT-AX55, RT-AX56U_V2, and RT-AC86U in firmware versions 3.0.0.4.386_50460, 3.0.0.4.386_50460, and 3.0.0.4_386_51529 respectively.

     

    The recommended solution is to apply the following firmware updates:

     

     

    ASUS released patches that address the three flaws in early August 2023 for RT-AX55, in May 2023 for AX56U_V2, and in July 2023 for RT-AC86U.

     

    Users who haven’t applied security updates since then should consider their devices vulnerable to attacks and prioritize the action as soon as possible.

     

    Furthermore, as many consumer router flaws target the web admin console, it is strongly advised to turn off the remote administration (WAN Web Access) feature to prevent access from the internet.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...