40 models of the Asus RT line of home routers are affected by five vulnerabilities that allow an attacker to get ahold of the router password, change router settings without authentication, execute code, and exfiltrate router data.
The good news is that the company that found these flaws — Nightwatch Cybersecurity — has secretly reported the problems to Asus back in January, and the company has issued a firmware update in March.
Users that use any of the following Asus RT router models should check and see if they're running a firmware version of v220.127.116.11.380.7378 or higher. The firmware update is available for download here.
RT-AC51U RT-AC52U B1 RT-AC53 RT-AC53U RT-AC55U RT-AC56R RT-AC56S RT-AC56U RT-AC66U RT-AC68U RT-AC68UF RT-AC66R RT-AC66U RT-AC66W RT-AC68W RT-AC68P RT-AC68R RT-AC68U RT-AC87R RT-AC87U RT-AC88U RT-AC1200 RT-AC1750 RT-AC1900P RT-AC3100 RT-AC3200 RT-AC5300 RT-N11P RT-N12 (D1 version only) RT-N12+ RT-N12E RT-N16 RT-N18U RT-N56U RT-N66R RT-N66U (B1 version only) RT-N66W RT-N300 RT-N600 RT-4G-AC55U – [Not patch available]
Below is a summary of all the discovered vulnerabilities. For all issues, Nightwatch researcher Yakov Shafranovich has published PoCs on the company's website.
Login Page CSRF (CVE-2017-5891) - The router's web admin panel login page doesn't have CSRF protection. This means an attacker can draw a user on a malicious site and issue a request from that site to the router's login page. This vulnerability can be used to log into routers that still use their default password of admin/admin, or to authenticate using the real password.
Save Settings CSRF (CVE-2017-5891) - Same as above, but the attacker can modify router settings to alter Internet traffic handling, security settings, or login details.
JSONP Information Disclosure Without Login - A JSONP endpoint in the router's firmware will respond to external request, revealing information on the router's settings, such as model, SSID, IP address, if it's running.
JSONP Information Disclosure, Login Required (CVE-2017-5892) - The same as above, but this endpoint reveals more details about the router, such as in-depth network information, access point details, information on network mapped devices, external IP, WebDAV data, and more.
XML Endpoint Reveals WiFi Passwords - An XML endpoint in the router's firmware allows an attacker to query the router and get its current WiFi network password. This attack requires the attacker to be on the same network, and know the router's admin password so that he can query the XML endpoint.
The firmware update that patches the vulnerabilities described above also includes fixes for other issues discovered by security researcher Bruno Bierbaumer.
These are an XSS issue in the login page (CVE-2017-6547), a session stealing issue (CVE-2017-6549), and a remote code execution bug (CVE-2017-6548) that allows attackers to run their own code on affected devices.
Taken individually all these issues are trivial, but a skilled attacker can chain them together and take over routers, adding them to a botnet, and using these devices for his own operations, such as relaying malicious traffic or launching DDoS attacks. This, in turn, slows down the router's performance and local Internet speed.