Asus releases firmware updates for routers to address critical security issues

2023-06-21 By admin

Asus has released new firmware for a wide range of its routers that address nine different security issues, some of which rated critical. The company encourages customers to install the firmware update immediately on their devices to protect them against potential attacks. Customers may also modify settings to mitigate potential attacks.

The security advisory website on Asus’ website lists the following affected routers: GT6/GT-AXE16000/GT-AX11000 PRO/GT-AXE11000/GT-AX6000/GT-AX11000/GS-AX5400/GS-AX3000/XT9/XT8/XT8 V2/RT-AX86U PRO/RT-AX86U/RT-AX86S/RT-AX82U/RT-AX58U/RT-AX3000/TUF-AX6000/TUF-AX5400.

The support page offers links to the firmware download pages for each of the affected routers of the company. Asus recommends that customers install the firmware immediately on their devices. Some firmware download pages appear to have not been updated yet by the company with the new releases. This appears to be the case for the Rog Rapture GT-AXE16000, as its latest firmware dates back to April 19th, 2023. Most of the other firmware download pages lists the new firmware, release date June 20, already though. A support page explains how administrators may update the firmware of Asus routers.

Asus notes that the firmware update addresses the following nine security CVE’s:

CVE-2023-28702 (high)
CVE-2023-28703 (high)
CVE-2023-31195 (not rated)
CVE-2022-46871 (high)
CVE-2022-38105 (high)
CVE-2022-35401 (critical)
1. An authentication bypass vulnerability exists in the get_IFTTTTtoken.cgi functionality of Asus RT-AX82U 3.0.0.4.386_49674-ge182230. A specially-crafted HTTP request can lead to full administrative access to the device. An attacker would need to send a series of HTTP requests to exploit this vulnerability.
CVE-2018-1160 (critical)
1. Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.
CVE-2022-38393 (high)
CVE-2022-26376 (critical)

Only three of the security issues are from 2023. The remaining security issues are from 2022, except for one, which is from 2018. Three of the vulnerabilities have the highest severity rating of critical, five of the remaining vulnerabilities have a severity rating of high, and one has not been rated yet.

Asus lists the following security fixes in particular that the new firmware update makes:

Fixed DoS vulnerabilities in firewall configuration pages.
Fixed DoS vulnerabilities in httpd.
Fixed information disclosure vulnerability.
Fixed null pointer dereference vulnerabilities.
Fixed the cfg server vulnerability.
Fixed the vulnerability in the logmessage function.
Fixed Client DOM Stored XSS
Fixed HTTP response splitting vulnerability
Fixed status page HTML vulnerability.
Fixed HTTP response splitting vulnerability.
Fixed Samba related vulerabilities.
Fixed Open redirect vulnerability.
Fixed token authentication security issues.
Fixed security issues on the status page.

System administrators who can’t install the firmware updates at this point may disable services “accessible from the WAN side” to protect devices against attacks. These WAN side services include “remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger” according to Asus.

System administrators may want to update the firmware of the router as soon as possible or apply the mitigations to protect devices against potential attacks.

Just last month, Asus confirmed an issue with some of its routers that caused connectivity issues for users.

Now You: when was the last time you updated your router’s firmware?

Summary

Article Name

Asus releases firmware updates for routers to address critical security issues

Description

Asus has released new firmware for a wide range of its routers that address nine different security issues, some of which rated critical.

Author

Martin Brinkmann

Publisher

Ghacks Technology News

Logo