Asus published an emergency firmware update on Monday to address vulnerabilities in its WiFi routers. The nine vulnerabilities, which include one critical vulnerability from 2018 that exposes users to remote code execution attacks can allow attacks like denial-of-service, information disclosure, credential bypasses and remote code execution.
Overall, Asus fixed the following CVEs:
- CVE-2023-28702
- CVE-2023-28703
- CVE-2023-31195
- CVE-2022-46871
- CVE-2022-38105
- CVE-2022-35401
- CVE-2018-1160
- CVE-2022-38393
- CVE-2022-26376
Out of these, CVE-2018-1160 (CVSS 9.8/10) is a critical security vulnerability in Netatalk version 3.1.12 and earlier that was disclosed in 2018 and allows remote code execution attacks. According to Asus’s advisory, the vulnerability arises from a lack of bounds checking on attacker-controlled data.
A total of 19 routers have been affected by the aforementioned vulnerabilities. These include Asus GT6, GT-AXE16000, GT-AX11000 PRO, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000 and TUF-AX5400. Information on how to update your router and what to do has been outlined in the company’s advisory about the issue.
Another critical vulnerability addressed in the update is CVE-2022-26376. Rated CVSS 9.8/10, this is a memory corruption vulnerability in the httpd unescape feature of Asuswrt prior to version 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to version 386.7.
In case a firmware update is not immediately possible, Asus has provided mitigation steps. Users have been asked to disable services accessible from the WAN side including WAN, port forwarding, DDNS, VPN server, DMZ and port trigger to “avoid potential unwanted intrusions” in case they can’t install the update right away.
That said, it’s recommended that you don’t wait on the update and update your router (and other equipment in general) to the latest updates available. The company has also requested that customers regularly audit their equipment and security procedures to prevent any attacks that target their network infrastructure.
In the News: Paedophiles are shifting to AI-generated CSAM