A recent ASUS firmware update addressed a number of vulnerabilities in 30 models of its popular RT routers.
The flaws were privately disclosed by researchers at Baltimore consultancy Nightwatch Cybersecurity, and were patched starting in March, with 10 updates added Wednesday. Users should ensure their firmware is up to date and running on version 3.0.0.4.380.7378.
The vulnerabilities were found in a native web interface on the devices and allow an attacker on the same local network to change router settings, steal Wi-Fi passwords or leak system information.
ASUS addressed all but one of the disclosed vulnerabilities, an issue found in two JSONP endpoints that leak some information about the router without the need for the attacker to be logged in. Nightwatch’s Yakov Shafranovich said ASUS did not consider this a security issue.
“It is an information disclosure issue which can be used to detect if a router is an ASUS router, but cannot be used as an attack on its own,” Shafranovich said. “We disagree because this can be used to facilitate an attack; it would be the first step to detect if the router is an ASUS router.”
Shafranovich said that two cross-site request forgery vulnerabilities were the most critical among the disclosures. One was found on the router’s login page and the other within the interface that saves settings, both of which lacked CSRF protection. An attacker could lure a victim to a site hosting malicious JavaScript and carry out a CSRF attack to login to the router. If the user has failed to change the default password on the device, this facilitates the attack even further.
“Fool a user that is on a network using an Asus router into visiting a malicious page; the JavaScript code on that page that can do the rest,” Shafranovich said.
Nightwatch also found a separate JSONP information disclosure vulnerability that requires authentication. An attacker can use these to learn information through the router, including network information, surrounding access points, a map of devices on the local network, external IP addresses, WebDAV information and more.
The researchers also found an XML endpoint in the router that reveals the router’s Wi-Fi- password.
“But to fully exploit this issue, it would require a mobile or desktop application running on the local network since XML cannot be loaded cross origin in the browser,” Nightwatch said in its advisory.
The researchers said that exploits targeting the JSONP issues would load the JSONP endpoints via SCRIPT tags, while the XML endpoint issue could be exploited through a malicious application.
“All of these assume that the attacker knows the local IP address of the router,” the researchers said. “This could probably be guessed or be determined via Javascript APIs like WebRTC. For desktop and mobile applications, determination of the gateway address should be trivial to implement.”
Nightwatch also published a list of affected models:
Added Wednesday:
- 4G-AC55U
- RT-AC52U B1
- RT-AC53
- RT-AC68UF
- RT-AC88U
- RT-AC1200
- RT-AC1750
- RT-N16
- RT-N300
- RT-N600
Originally updated in March:
- RT-AC51U
- RT-AC53U
- RT-AC55U
- RT-AC56R
- RT-AC56S
- RT-AC56U
- RT-AC66U
- RT-AC68U
- RT-AC66R
- RT-AC66U
- RT-AC66W
- RT-AC68W
- RT-AC68P
- RT-AC68R
- RT-AC68U
- RT-AC87R
- RT-AC87U
- RT-AC1900P
- RT-AC3100
- RT-AC3200
- RT-AC5300
- RT-N11P
- RT-N12 (D1 version only)
- RT-N12+
- RT-N12E
- RT-N18U
- RT-N56U
- RT-N66R
- RT-N66U (B1 version only)
- RT-N66W
