ASUS Releases Patches to Fix Critical Security Bugs Impacting Multiple Router Models

Taiwanese company ASUS on Monday released firmware updates to address, among other issues, nine security bugs impacting a wide range of router models.

The list of impacted products are GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400.

Topping the list of fixes are CVE-2018-1160 and CVE-2022-26376, both of which are rated 9.8 out of a maximum of 10 on the CVSS scoring system.

CVE-2018-1160 concerns a nearly five-year-old out-of-bounds write bug in Netatalk versions before 3.1.12 that could allow a remote unauthenticated attacker to achieve arbitrary code execution.

CVE-2022-26376 has been described as a memory corruption vulnerability in the Asuswrt firmware that could be triggered by means of a specially-crafted HTTP request.

The seven other flaws are as follows –

• CVE-2022-35401 (CVSS score: 8.1) – An authentication bypass vulnerability that could permit an attacker to send malicious HTTP requests to gain full administrative access to the device.

• CVE-2022-38105 (CVSS score: 7.5) – An information disclosure vulnerability that could be exploited to access sensitive information by sending specially-crafted network packets.

• CVE-2022-38393 (CVSS score: 7.5) – A denial-of-service (DoS) vulnerability that could be triggered by sending a specially-crafted network packet.

• CVE-2022-46871 (CVSS score: 8.8) – The use of an out-of-date libusrsctp library that could open targeted devices to other attacks.

• CVE-2023-28702 (CVSS score: 8.8) – A command injection flaw that could be exploited by a local attacker to execute arbitrary system commands, disrupt system, or terminate service.

• CVE-2023-28703 (CVSS score: 7.2) – A stack-based buffer overflow vulnerability that could be exploited by an attacker with admin privileges to execute arbitrary system commands, disrupt system, or terminate service.

• CVE-2023-31195 (CVSS score: N/A) – An adversary-in-the-middle (AitM) flaw that could lead to a hijack of a user’s session.

ASUS is recommending that users apply the latest updates as soon as possible to mitigate security risks. As a workaround, it’s advising users to disable services accessible from the WAN side to avoid potential unwanted intrusions.

Source: https://thehackernews.com/