ASUS

40 models of the Asus RT line of home routers are affected by five vulnerabilities that allow an attacker to get ahold of the router password, change router settings without authentication, execute code, and exfiltrate router data.

The good news is that the company that found these flaws — Nightwatch Cybersecurity — has secretly reported the problems to Asus back in January, and the company has issued a firmware update in March.

Users that use any of the following Asus RT router models should check and see if they're running a firmware version of v3.0.0.4.380.7378 or higher. The firmware update is available for download here.

    RT-AC51U
    RT-AC52U B1
    RT-AC53
    RT-AC53U
    RT-AC55U
    RT-AC56R
    RT-AC56S
    RT-AC56U
    RT-AC66U
    RT-AC68U
    RT-AC68UF
    RT-AC66R
    RT-AC66U
    RT-AC66W
    RT-AC68W
    RT-AC68P
    RT-AC68R
    RT-AC68U
    RT-AC87R
    RT-AC87U
    RT-AC88U
    RT-AC1200
    RT-AC1750
    RT-AC1900P
    RT-AC3100
    RT-AC3200
    RT-AC5300
    RT-N11P
    RT-N12 (D1 version only)
    RT-N12+
    RT-N12E
    RT-N16
    RT-N18U
    RT-N56U
    RT-N66R
    RT-N66U (B1 version only)
    RT-N66W
    RT-N300
    RT-N600
    RT-4G-AC55U – [Not patch available]

Below is a summary of all the discovered vulnerabilities. For all issues, Nightwatch researcher Yakov Shafranovich has published PoCs on the company's website.

First set of issues

Login Page CSRF (CVE-2017-5891) - The router's web admin panel login page doesn't have CSRF protection. This means an attacker can draw a user on a malicious site and issue a request from that site to the router's login page. This vulnerability can be used to log into routers that still use their default password of admin/admin, or to authenticate using the real password.

Save Settings CSRF (CVE-2017-5891) - Same as above, but the attacker can modify router settings to alter Internet traffic handling, security settings, or login details.

JSONP Information Disclosure Without Login - A JSONP endpoint in the router's firmware will respond to external request, revealing information on the router's settings, such as model, SSID, IP address, if it's running.

JSONP Information Disclosure, Login Required (CVE-2017-5892) - The same as above, but this endpoint reveals more details about the router, such as in-depth network information, access point details, information on network mapped devices, external IP, WebDAV data, and more.

XML Endpoint Reveals WiFi Passwords - An XML endpoint in the router's firmware allows an attacker to query the router and get its current WiFi network password. This attack requires the attacker to be on the same network, and know the router's admin password so that he can query the XML endpoint.

Second set of issues

The firmware update that patches the vulnerabilities described above also includes fixes for other issues discovered by security researcher Bruno Bierbaumer.

These are an XSS issue in the login page (CVE-2017-6547), a session stealing issue (CVE-2017-6549), and a remote code execution bug (CVE-2017-6548) that allows attackers to run their own code on affected devices.

Taken individually all these issues are trivial, but a skilled attacker can chain them together and take over routers, adding them to a botnet, and using these devices for his own operations, such as relaying malicious traffic or launching DDoS attacks. This, in turn, slows down the router's performance and local Internet speed.