ASUS Issues Router Product Security Advisory

[TheLostSwede]

If you own one of several recent ASUS router models, then you're being urged by ASUS to upgrade your firmware to the latest release as soon as possible, due to a few serious security flaws. The two most severe being CVE-2022-26376 and CVE-2018-1160, both of which are rated 9.8 on a scale of 10 in terms of severity. However, if you're running the third party Asuswrt-Merlin firmware, you're apparently safe, as the author of the third party firmware has already patched all the known security issues that ASUS has announced patches for.

The affected models are the GT6, GT-AXE16000, GT-AX11000 PRO, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400. That's 18 different models in total, all of which should be built around Broadcom hardware. It's unclear if more models are affected or not, but these are the ones ASUS has issued updates for. The security flaws in question could allow someone to take over an unpatched router and make it a part of a botnet or similar. ASUS has suggested turning off features like DDNS and VPN servers, as well as more obvious things like WAN access, port forwarding, port triggers and DMZ until the firmware has been updated on the affected models.



View at TechPowerUp Main Site | Source

 

[ZoneDymo]

again?

 

[TheLostSwede]

again?

It looks like someone at Asus screwed up and didn't apply patches for some old issues when they moved to a new build of their firmware, at least that's how I understand it based on comments by Merlin over at the SNB Forums.

 

[Minus Infinity]

I got the heads up 3 days ago at techspot.

 

[TheLostSwede]

I got the heads up 3 days ago at techspot.

Well, I'm sorry, I only spotted it last night and no-one else here wrote it up, but I figured it was important enough to post, even if we're late...
But if you feel we're tardy, please take it up with the management.

 

[andy_3_913]

Which firmware are they referring to?
I'm on 3.0.0.4.388.23285 which is the only one on their site as of writing this.

 

[TheLostSwede]

Which firmware are they referring to?
I'm on 3.0.0.4.388.23285 which is the only one on their site as of writing this.

It depends on the model of router you have, as they don't all use the same firmware.
The release should be within the last week or so. I had an update for the RT-AX86U Pro that I got as a replacement for my trust old R7800 that finally died.
Version 3.0.0.4.388_23565 according to the settings.

 

[kapone32]

Thanks for this I am going to check mine.

 

[andy_3_913]

It depends on the model of router you have, as they don't all use the same firmware.
The release should be within the last week or so. I had an update for the RT-AX86U Pro that I got as a replacement for my trust old R7800 that finally died.
Version 3.0.0.4.388_23565 according to the settings.

Sorry, forgot to say...AX 11000

 

[TheLostSwede]

Sorry, forgot to say...AX 11000

It does indeed not seem to have an update related to the two main issues, but it seems like the first CVE was fixed last year and the second one back in January for your specific model, so not sure why it's in the list of affected models, unless they messed up and rolled back those fixes in the most recent firmware somehow.

 

[andy_3_913]

It does indeed not seem to have an update related to the two main issues, but it seems like the first CVE was fixed last year and the second one back in January for your specific model, so not sure why it's in the list of affected models, unless they messed up and rolled back those fixes in the most recent firmware somehow.

Cheers. At least I'm not imagining things

 

[TheLostSwede]

Cheers. At least I'm not imagining things

Maybe worth checking at some point over the next couple of weeks to see if there's an update, just in case.

 

[andy_3_913]

Maybe worth checking at some point over the next couple of weeks to see if there's an update, just in case.

I have it set to auto-update, so hopefully that'll pick up any update.

 

[mechtech]

hmmm AX86U don't see the CVE's mentioned..........unless it's just undisclosed in one of the others below?

RT-AX86 Series(RT-AX86U/RT-AX86S)

The AX5700 WiFi 6 gaming router recommended for mobile gaming, PS5 compatible. With fast WiFi speed, large coverage and lower lag, free network security and easy setup.

www.asus.com

Version 3.0.0.4.388.23285 70.86 MB 2023/05/15

Security updates:
-Enabled and supported ECDSA certificates for Let's Encrypt.
-Enhanced protection for credentials.
-Enhanced protection for OTA firmware updates.
-Fixed DoS vulnerabilities in firewall configuration pages. Thanks to Jinghe Gao's contribution.
-Fixed DoS vulerabilities in httpd. Thanks to Howard McGreehan.
-Fixed information disclosure vulnerability. Thanks to Junxu (Hillstone Network Security Research Institute) contribution.
-Fixed CVE-2023-28702 and CVE-2023-28703. Thanks to Xingyu Xu(@tmotfl) contribution.
-Fixed null pointer dereference vulnerabilities. Thanks to Chengfeng Ye, Prism Research Group - cse hkust contribution.
-Fixed the cfg server vulnerability. Thanks to Swing and Wang Duo from Chaitin Security Research Lab.
-Fixed the vulnerability in the logmessage function. Thanks to Swing and Wang Duo from Chaitin Security Research Lab C0ss4ck from Bytedance Wuheng Lab, Feixincheng from X1cT34m

 

[Deleted member 177333]

Thanks for posting this. Just got done patching mine.

 

[neatfeatguy]

I find this posting odd from ASUS because there is no more recent firmware version for my RT-AX82U after 5/25/23, which is when I last updated mine. It's on version 3.0.0.4.388_23285, which is also the most recent version listed on ASUS's website for my router.

Either this issue was patched for my router back on 5/25/23 and ASUS is very late to the party posting about the firmware update on 6/19/23

Spoiler

(From there site: https://www.asus.com/content/asus-product-security-advisory/)

Latest security updates​

06/19/2023 New firmware with accumulate security updates for GT6/GT-AXE16000/GT-AX11000 PRO/GT-AXE11000/GT-AX6000/GT-AX11000/GS-AX5400/GS-AX3000/XT9/XT8/XT8 V2/RT-AX86U PRO/RT-AX86U/RT-AX86S/RT-AX82U/RT-AX58U/RT-AX3000/TUF-AX6000/TUF-AX5400 ∇
We strongly encourage you to periodically audit both your equipment and your security procedures, as this will ensure that you will be better protected. As a user of an ASUS router, we advise taking the following actions:

1. Update your router to the latest firmware. We strongly recommend that you do so as soon as new firmware is released. You will find the latest firmware available for download from the ASUS support page at https://www.asus.com/support/or the appropriate product page at https://www.asus.com/Networking/. ASUS has provided a link to new firmware for selected routers at the end of this notice.
2. Set up separate passwords for your wireless network and router-administration page. Use passwords with a length of at least eight characters, including a mix of capital letters, numbers and symbols. Do not use the same password for multiple devices or services.
3. Enable ASUS AiProtection, if your router supports this feature. Instructions on how to do this can be found in your router’s manual, or on the relevant ASUS support page, at https://www.asus.com/Networking/.

Please note, if you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions. These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger.

For further help with router setup and an introduction to network security, please visit
https://www.asus.com/support/FAQ/1008000
https://www.asus.com/support/FAQ/1039292

The new firmware incorporates the following security fixes.

1. Fixed CVE-2023-28702, CVE-2023-28703, CVE-2023-31195, CVE-2022-46871, CVE-2022-38105, CVE-2022-35401, CVE-2018-1160, CVE-2022-38393, CVE-2022-26376
2. Fixed DoS vulnerabilities in firewall configuration pages.
3. Fixed DoS vulnerabilities in httpd.
4. Fixed information disclosure vulnerability.
5. Fixed null pointer dereference vulnerabilities.
6. Fixed the cfg server vulnerability.
7. Fixed the vulnerability in the logmessage function.
8. Fixed Client DOM Stored XSS
9. Fixed HTTP response splitting vulnerability
10. Fixed status page HTML vulnerability.
11. Fixed HTTP response splitting vulnerability.
12. Fixed Samba related vulerabilities.
13. Fixed Open redirect vulnerability.
14. Fixed token authentication security issues.
15. Fixed security issues on the status page.
16. Enabled and supported ECDSA certificates for Let's Encrypt.
17. Enhanced protection for credentials.
18. Enhanced protection for OTA firmware updates.

Model name	Firmware download path
GT6	https://rog.asus.com/networking/rog-rapture-gt6-model/helpdesk_bios/
GT-AXE16000	https://rog.asus.com/networking/rog-rapture-gt-axe16000-model/helpdesk_bios/
GT-AXE11000 PRO	https://rog.asus.com/networking/rog-rapture-gt-ax11000-pro-model/helpdesk_bios/
GT-AXE11000	https://rog.asus.com/networking/rog-rapture-gt-axe11000-model/helpdesk_bios/
GT-AX6000	https://rog.asus.com/networking/rog-rapture-gt-ax6000-model/helpdesk_bios/
GT-AX11000	https://rog.asus.com/networking/rog-rapture-gt-ax11000-model/helpdesk_bios/
GS-AX5400	https://rog.asus.com/networking/rog-strix-gs-ax5400-model/helpdesk_bios/
GS-AX3000	https://rog.asus.com/networking/rog-strix-gs-ax3000-model/helpdesk/
ZenWiFi XT9	https://www.asus.com/networking-iot...t9/helpdesk_bios/?model2Name=ASUS-ZenWiFi-XT9
ZenWiFi XT8	https://www.asus.com/networking-iot...helpdesk_bios/?model2Name=ASUS-ZenWiFi-AX-XT8
ZenWiFi XT8_V2	https://www.asus.com/networking-iot...helpdesk_bios/?model2Name=ASUS-ZenWiFi-AX-XT8
RT-AX86U PRO	https://www.asus.com/networking-iot...6u-pro/helpdesk_bios/?model2Name=RT-AX86U-Pro
RT-AX86U	https://www.asus.com/networking-iot.../?model2Name=RT-AX86-Series-RT-AX86U-RT-AX86S
RT-AX86S	https://www.asus.com/networking-iot.../?model2Name=RT-AX86-Series-RT-AX86U-RT-AX86S
RT-AX82U	https://www.asus.com/networking-iot...s/rt-ax82u/helpdesk_bios/?model2Name=RT-AX82U
RT-AX58U	https://www.asus.com/networking-iot...s/rt-ax58u/helpdesk_bios/?model2Name=RT-AX58U
RT-AX3000	https://www.asus.com/us/networking-...rt-ax3000/helpdesk_bios/?model2Name=RT-AX3000
TUF-AX6000	https://www.asus.com/networking-iot...0/helpdesk_bios/?model2Name=TUF-Gaming-AX6000
TUF-AX5400	https://www.asus.com/networking-iot...0/helpdesk_bios/?model2Name=TUF-Gaming-AX5400

OR
My router shouldn't be on their list
OR
Someone at ASUS dropped the ball and they haven't provided the most recent firmware for my router.

 

[Makaveli]

I don't see my AX88U listed currently on using merlin version 388.2_2 will see if he adds these updates to the 388.3 when its released.

 

[bonehead123]

Thank you AsSus....

for hiring/using the most incompetent & clueless software dweebs that your massive payroll budget could afford, and for not checking/testing their work before releasing new firmware, and potentially putting buttloads of people's systems at risk.. ....

 

[Zareek]

Thanks for this, I know a few people who are running the RT-AX3000. I used to own one before I started running pfSense instead.

 

[konga]

Very funny. I have an affected router, and it started randomly dropping all wirelessly connected clients earlier in the year. I was contemplating rolling back to a firmware version before this started happening, but now there's this. Maybe I'll just toss the piece of junk in the trash instead.

 

[katzi]

*updates router immediately*

 

[bug]

ASUS Issues Router Product Security Advisory

What does it say? "Dumba$$, you bought an Asus router"?

 

[CheapMeat]

Dang. I have auto-update on and it seems to be on the latest firmware.

 

[Makaveli]

Very funny. I have an affected router, and it started randomly dropping all wirelessly connected clients earlier in the year. I was contemplating rolling back to a firmware version before this started happening, but now there's this. Maybe I'll just toss the piece of junk in the trash instead.

try the merlin version of the firmware on your router if you have a supported model.

 

[konga]

try the merlin version of the firmware on your router if you have a supported model.

That's the version I've been using and experiencing the issue with.