Taiwanese company ASUS on Monday released firmware updates to address, among other issues, nine security bugs impacting a wide range of router models.
Of the nine security flaws, two are rated Critical and six are rated High in severity. One vulnerability is currently awaiting analysis.
The list of impacted products are GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400.
Topping the list of fixes are CVE-2018-1160 and CVE-2022-26376, both of which are rated 9.8 out of a maximum of 10 on the CVSS scoring system.
CVE-2018-1160 concerns a nearly five-year-old out-of-bounds write bug in Netatalk versions before 3.1.12 that could allow a remote unauthenticated attacker to achieve arbitrary code execution.
CVE-2022-26376 has been described as a memory corruption vulnerability in the Asuswrt firmware that could be triggered by means of a specially-crafted HTTP request.
The seven other flaws are as follows –
- CVE-2022-35401 (CVSS score: 8.1) – An authentication bypass vulnerability that could permit an attacker to send malicious HTTP requests to gain full administrative access to the device.
- CVE-2022-38105 (CVSS score: 7.5) – An information disclosure vulnerability that could be exploited to access sensitive information by sending specially-crafted network packets.
- CVE-2022-38393 (CVSS score: 7.5) – A denial-of-service (DoS) vulnerability that could be triggered by sending a specially-crafted network packet.
- CVE-2022-46871 (CVSS score: 8.8) – The use of an out-of-date libusrsctp library that could open targeted devices to other attacks.
- CVE-2023-28702 (CVSS score: 8.8) – A command injection flaw that could be exploited by a local attacker to execute arbitrary system commands, disrupt system, or terminate service.
- CVE-2023-28703 (CVSS score: 7.2) – A stack-based buffer overflow vulnerability that could be exploited by an attacker with admin privileges to execute arbitrary system commands, disrupt system, or terminate service.
- CVE-2023-31195 (CVSS score: N/A) – An adversary-in-the-middle (AitM) flaw that could lead to a hijack of a user’s session.
ASUS is recommending that users apply the latest updates as soon as possible to mitigate security risks. As a workaround, it’s advising users to disable services accessible from the WAN side to avoid potential unwanted intrusions.
“These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, [and] port trigger,” the company said, urging customers to periodically audit their equipment as well as set up separate passwords for the wireless network and the router-administration page.