Sunday, June 25th 2023

ASUS Issues Router Product Security Advisory

by
TheLostSwede
 Discuss (30 Comments)
If you own one of several recent ASUS router models, then you're being urged by ASUS to upgrade your firmware to the latest release as soon as possible, due to a few serious security flaws. The two most severe being CVE-2022-26376 and CVE-2018-1160, both of which are rated 9.8 on a scale of 10 in terms of severity. However, if you're running the third party Asuswrt-Merlin firmware, you're apparently safe, as the author of the third party firmware has already patched all the known security issues that ASUS has announced patches for.

The affected models are the GT6, GT-AXE16000, GT-AX11000 PRO, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400. That's 18 different models in total, all of which should be built around Broadcom hardware. It's unclear if more models are affected or not, but these are the ones ASUS has issued updates for. The security flaws in question could allow someone to take over an unpatched router and make it a part of a botnet or similar. ASUS has suggested turning off features like DDNS and VPN servers, as well as more obvious things like WAN access, port forwarding, port triggers and DMZ until the firmware has been updated on the affected models.
Sources: ASUS Product Security Advisory, via Bleepingcomputer

Related News

Add your own comment

30 Comments on ASUS Issues Router Product Security Advisory

#2
TheLostSwede
News Editor
ZoneDymoagain?
It looks like someone at Asus screwed up and didn't apply patches for some old issues when they moved to a new build of their firmware, at least that's how I understand it based on comments by Merlin over at the SNB Forums.
Posted on Reply
#4
TheLostSwede
News Editor
Minus InfinityI got the heads up 3 days ago at techspot.
Well, I'm sorry, I only spotted it last night and no-one else here wrote it up, but I figured it was important enough to post, even if we're late...
But if you feel we're tardy, please take it up with the management.
Posted on Reply
#5
andy_3_913
Which firmware are they referring to?
I'm on 3.0.0.4.388.23285 which is the only one on their site as of writing this.
Posted on Reply
#6
TheLostSwede
News Editor
andy_3_913Which firmware are they referring to?
I'm on 3.0.0.4.388.23285 which is the only one on their site as of writing this.
It depends on the model of router you have, as they don't all use the same firmware.
The release should be within the last week or so. I had an update for the RT-AX86U Pro that I got as a replacement for my trust old R7800 that finally died.
Version 3.0.0.4.388_23565 according to the settings.
Posted on Reply
#7
kapone32
Thanks for this I am going to check mine.
Posted on Reply
#8
andy_3_913
TheLostSwedeIt depends on the model of router you have, as they don't all use the same firmware.
The release should be within the last week or so. I had an update for the RT-AX86U Pro that I got as a replacement for my trust old R7800 that finally died.
Version 3.0.0.4.388_23565 according to the settings.
Sorry, forgot to say...AX 11000
Posted on Reply
#9
TheLostSwede
News Editor
andy_3_913Sorry, forgot to say...AX 11000
It does indeed not seem to have an update related to the two main issues, but it seems like the first CVE was fixed last year and the second one back in January for your specific model, so not sure why it's in the list of affected models, unless they messed up and rolled back those fixes in the most recent firmware somehow.
Posted on Reply
#10
andy_3_913
TheLostSwedeIt does indeed not seem to have an update related to the two main issues, but it seems like the first CVE was fixed last year and the second one back in January for your specific model, so not sure why it's in the list of affected models, unless they messed up and rolled back those fixes in the most recent firmware somehow.
Cheers. At least I'm not imagining things :)
Posted on Reply
#11
TheLostSwede
News Editor
andy_3_913Cheers. At least I'm not imagining things :)
Maybe worth checking at some point over the next couple of weeks to see if there's an update, just in case.
Posted on Reply
#12
andy_3_913
TheLostSwedeMaybe worth checking at some point over the next couple of weeks to see if there's an update, just in case.
I have it set to auto-update, so hopefully that'll pick up any update.
Posted on Reply
#13
mechtech
hmmm AX86U don't see the CVE's mentioned..........unless it's just undisclosed in one of the others below?

www.asus.com/ca-en/networking-iot-servers/wifi-routers/asus-gaming-routers/rt-ax86u/helpdesk_bios/?model2Name=RT-AX86U
Version 3.0.0.4.388.23285 70.86 MB 2023/05/15

Security updates:
-Enabled and supported ECDSA certificates for Let's Encrypt.
-Enhanced protection for credentials.
-Enhanced protection for OTA firmware updates.
-Fixed DoS vulnerabilities in firewall configuration pages. Thanks to Jinghe Gao's contribution.
-Fixed DoS vulerabilities in httpd. Thanks to Howard McGreehan.
-Fixed information disclosure vulnerability. Thanks to Junxu (Hillstone Network Security Research Institute) contribution.
-Fixed CVE-2023-28702 and CVE-2023-28703. Thanks to Xingyu Xu(@tmotfl) contribution.
-Fixed null pointer dereference vulnerabilities. Thanks to Chengfeng Ye, Prism Research Group - cse hkust contribution.
-Fixed the cfg server vulnerability. Thanks to Swing and Wang Duo from Chaitin Security Research Lab.
-Fixed the vulnerability in the logmessage function. Thanks to Swing and Wang Duo from Chaitin Security Research Lab C0ss4ck from Bytedance Wuheng Lab, Feixincheng from X1cT34m
Posted on Reply
#15
neatfeatguy
I find this posting odd from ASUS because there is no more recent firmware version for my RT-AX82U after 5/25/23, which is when I last updated mine. It's on version 3.0.0.4.388_23285, which is also the most recent version listed on ASUS's website for my router.

Either this issue was patched for my router back on 5/25/23 and ASUS is very late to the party posting about the firmware update on 6/19/23


(From there site: www.asus.com/content/asus-product-security-advisory/)

Latest security updates

06/19/2023 New firmware with accumulate security updates for GT6/GT-AXE16000/GT-AX11000 PRO/GT-AXE11000/GT-AX6000/GT-AX11000/GS-AX5400/GS-AX3000/XT9/XT8/XT8 V2/RT-AX86U PRO/RT-AX86U/RT-AX86S/RT-AX82U/RT-AX58U/RT-AX3000/TUF-AX6000/TUF-AX5400
We strongly encourage you to periodically audit both your equipment and your security procedures, as this will ensure that you will be better protected. As a user of an ASUS router, we advise taking the following actions:
  1. Update your router to the latest firmware. We strongly recommend that you do so as soon as new firmware is released. You will find the latest firmware available for download from the ASUS support page at www.asus.com/support/or the appropriate product page at www.asus.com/Networking/. ASUS has provided a link to new firmware for selected routers at the end of this notice.
  2. Set up separate passwords for your wireless network and router-administration page. Use passwords with a length of at least eight characters, including a mix of capital letters, numbers and symbols. Do not use the same password for multiple devices or services.
  3. Enable ASUS AiProtection, if your router supports this feature. Instructions on how to do this can be found in your router’s manual, or on the relevant ASUS support page, at www.asus.com/Networking/.
Please note, if you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions. These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger.

For further help with router setup and an introduction to network security, please visit
www.asus.com/support/FAQ/1008000
www.asus.com/support/FAQ/1039292

The new firmware incorporates the following security fixes.
  1. Fixed CVE-2023-28702, CVE-2023-28703, CVE-2023-31195, CVE-2022-46871, CVE-2022-38105, CVE-2022-35401, CVE-2018-1160, CVE-2022-38393, CVE-2022-26376
  2. Fixed DoS vulnerabilities in firewall configuration pages.
  3. Fixed DoS vulnerabilities in httpd.
  4. Fixed information disclosure vulnerability.
  5. Fixed null pointer dereference vulnerabilities.
  6. Fixed the cfg server vulnerability.
  7. Fixed the vulnerability in the logmessage function.
  8. Fixed Client DOM Stored XSS
  9. Fixed HTTP response splitting vulnerability
  10. Fixed status page HTML vulnerability.
  11. Fixed HTTP response splitting vulnerability.
  12. Fixed Samba related vulerabilities.
  13. Fixed Open redirect vulnerability.
  14. Fixed token authentication security issues.
  15. Fixed security issues on the status page.
  16. Enabled and supported ECDSA certificates for Let's Encrypt.
  17. Enhanced protection for credentials.
  18. Enhanced protection for OTA firmware updates.
Model nameFirmware download path
GT6rog.asus.com/networking/rog-rapture-gt6-model/helpdesk_bios/
GT-AXE16000rog.asus.com/networking/rog-rapture-gt-axe16000-model/helpdesk_bios/
GT-AXE11000 PROrog.asus.com/networking/rog-rapture-gt-ax11000-pro-model/helpdesk_bios/
GT-AXE11000rog.asus.com/networking/rog-rapture-gt-axe11000-model/helpdesk_bios/
GT-AX6000rog.asus.com/networking/rog-rapture-gt-ax6000-model/helpdesk_bios/
GT-AX11000rog.asus.com/networking/rog-rapture-gt-ax11000-model/helpdesk_bios/
GS-AX5400rog.asus.com/networking/rog-strix-gs-ax5400-model/helpdesk_bios/
GS-AX3000rog.asus.com/networking/rog-strix-gs-ax3000-model/helpdesk/
ZenWiFi XT9www.asus.com/networking-iot-servers/whole-home-mesh-wifi-system/zenwifi-wifi-systems/asus-zenwifi-xt9/helpdesk_bios/?model2Name=ASUS-ZenWiFi-XT9
ZenWiFi XT8www.asus.com/networking-iot-servers/whole-home-mesh-wifi-system/zenwifi-wifi-systems/asus-zenwifi-ax-xt8/helpdesk_bios/?model2Name=ASUS-ZenWiFi-AX-XT8
ZenWiFi XT8_V2www.asus.com/networking-iot-servers/whole-home-mesh-wifi-system/zenwifi-wifi-systems/asus-zenwifi-ax-xt8/helpdesk_bios/?model2Name=ASUS-ZenWiFi-AX-XT8
RT-AX86U PROwww.asus.com/networking-iot-servers/wifi-routers/asus-gaming-routers/rt-ax86u-pro/helpdesk_bios/?model2Name=RT-AX86U-Pro
RT-AX86Uwww.asus.com/networking-iot-servers/wifi-6/all-series/rt-ax86u/helpdesk_bios/?model2Name=RT-AX86-Series-RT-AX86U-RT-AX86S
RT-AX86Swww.asus.com/networking-iot-servers/wifi-6/all-series/rt-ax86u/helpdesk_bios/?model2Name=RT-AX86-Series-RT-AX86U-RT-AX86S
RT-AX82Uwww.asus.com/networking-iot-servers/wifi-routers/asus-gaming-routers/rt-ax82u/helpdesk_bios/?model2Name=RT-AX82U
RT-AX58Uwww.asus.com/networking-iot-servers/wifi-routers/asus-wifi-routers/rt-ax58u/helpdesk_bios/?model2Name=RT-AX58U
RT-AX3000www.asus.com/us/networking-iot-servers/wifi-routers/asus-wifi-routers/rt-ax3000/helpdesk_bios/?model2Name=RT-AX3000
TUF-AX6000www.asus.com/networking-iot-servers/wifi-routers/asus-gaming-routers/tuf-gaming-ax6000/helpdesk_bios/?model2Name=TUF-Gaming-AX6000
TUF-AX5400www.asus.com/networking-iot-servers/wifi-routers/asus-gaming-routers/tuf-gaming-ax5400/helpdesk_bios/?model2Name=TUF-Gaming-AX5400

OR
My router shouldn't be on their list
OR
Someone at ASUS dropped the ball and they haven't provided the most recent firmware for my router.
Posted on Reply
#16
Makaveli
I don't see my AX88U listed currently on using merlin version 388.2_2 will see if he adds these updates to the 388.3 when its released.
Posted on Reply
#17
bonehead123
Thank you AsSus....

for hiring/using the most incompetent & clueless software dweebs that your massive payroll budget could afford, and for not checking/testing their work before releasing new firmware, and potentially putting buttloads of people's systems at risk.. :(..:fear:..:eek:
Posted on Reply
#18
Zareek
Thanks for this, I know a few people who are running the RT-AX3000. I used to own one before I started running pfSense instead.
Posted on Reply
#19
konga
Very funny. I have an affected router, and it started randomly dropping all wirelessly connected clients earlier in the year. I was contemplating rolling back to a firmware version before this started happening, but now there's this. Maybe I'll just toss the piece of junk in the trash instead.
Posted on Reply
#20
katzi
*updates router immediately*
Posted on Reply
#21
bug
ASUS Issues Router Product Security Advisory
What does it say? "Dumba$$, you bought an Asus router"?
Posted on Reply
#22
CheapMeat
Dang. I have auto-update on and it seems to be on the latest firmware.
Posted on Reply
#23
Makaveli
kongaVery funny. I have an affected router, and it started randomly dropping all wirelessly connected clients earlier in the year. I was contemplating rolling back to a firmware version before this started happening, but now there's this. Maybe I'll just toss the piece of junk in the trash instead.
try the merlin version of the firmware on your router if you have a supported model.
Posted on Reply
#24
konga
Makavelitry the merlin version of the firmware on your router if you have a supported model.
That's the version I've been using and experiencing the issue with.
Posted on Reply
#25
Makaveli
kongaThat's the version I've been using and experiencing the issue with.
What troubleshooting have you done so for?

Factory reset?
Forgetting the wifi on all affected device and rejoining?

Does stock firmware also show the same thing?
Posted on Reply
Add your own comment
Nov 21st, 2024 11:34 EST change timezone

Latest GPU Drivers

New Forum Posts

Popular Reviews

Controversial News Posts