ASUS Urges Customers To Patch Critical Router Vulnerabilities

ASUS has released new firmware for several router models to address security vulnerabilities, including critical ones like CVE-2022-26376 and CVE-2018-1160, which can lead to denial-of-service attacks and code execution. The company advises customers to update their devices immediately or restrict WAN access until the devices are secured, urging them to create strong passwords and follow security measures. BleepingComputer reports: The first is a critical memory corruption weakness in the Asuswrt firmware for Asus routers that could let attackers trigger denial-of-services states or gain code execution. The other critical patch is for an almost five-year-old CVE-2018-1160 bug caused by an out-of-bounds write Netatalk weakness that can also be exploited to gain arbitrary code execution on unpatched devices.

"Please note, if you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions. These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger," ASUS warned in a security advisory published today. "We strongly encourage you to periodically audit both your equipment and your security procedures, as this will ensure that you will be better protected."

The list of impacted devices includes the following models: GT6, GT-AXE16000, GT-AX11000 PRO, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400.

You first.

[SeaFox]

In case anyone forgot, this is the same company that botched everyone's routers [arstechnica.com] for two days last month due to a bad update. The kicker was the update wasn't even a firmware update, it was an update to an antimalware feature of the firmware, so even if you had your router explicitly set to not auto-install updates you got screwed.

Re:

[iAmWaySmarterThanYou]

Ok, upgraded and working fine.

Re:

[Petersko]

"the same company that botched everyone's routers" carries the connotation that somehow Asus is a negligent actor. I was hit by that mistake. It was swiftly corrected. I wouldn't presume to declare them unfit over it. They're at least as good as any other provider at producing stable firmware releases. In fact, I settled on Asus routers years ago, and I am satisfied. I don't even run Merlin (although I do miss the finer grained vpn support).

The last time I actually had an issue with firmware was when I hit

Don't expose the WAN side ever

[TheRealMindChild]

If you have your router setup to allow administration from the WAN side, you're a fool

Re:Don't expose the WAN side ever

[Rosco P. Coltrane]

Not all use cases are home internet, and not all remote administration access schemes are insecure. On large sites where the IT guys need more than 2 minutes to get to a router, it makes sense.

And here's another use case where it makes total sense: I have this totally untrusted network with IP devices that need to be access from the intranet. The devices are PoE IP cameras sitting outside the building and a sever on the intranet records them. I don't want a random dude disconnecting one of the cameras on the wall and connecting their laptop to have instant access to our intranet.

So I have a router sitting in the middle: the router's LAN side is the insecure network, with a separate network address, and the WAN port faces the intranet and gets an intranet IP. The router is configured to disallow any outbound traffic from the LAN side (no machine on the insecure network can reach the intranet in any way shape or form) and I have port forwarding rules to allow the server on the intranet to talk to the IP cameras by hitting the router's WAN IP on the right ports.

In my case, I absolutely do NOT want any local administration, since the LAN is insecure, and I only want remote administration - i.e. only machines on the intranet can manage the router through its WAN port.

This is a valid use case, it's not that outlandish, I completely need WAN-side administration and I ain't a fool.

Re:

[drinkypoo]

Not all use cases are home internet, and not all remote administration access schemes are insecure

That's not actually a remote access system, you've just swapped the networks.

Re:

[NoWayNoShapeNoForm]

Nothing "informative" about that post. Actually a whole lot of lazy administrator whining and so incredibly bad network security practices.

Re:

[cebu2018]

If you have your router setup to allow administration from the WAN side, you're a fool

Generally, I agree, although Rosco P. Coltrane pointed out some cases where you could actually want this. However, as you'll note in the original summary and TFA, this set of bugs affects you for non-admin access from the WAN side as well, including port forwarding, DDNS, VPN server, DMZ, port trigger - all of which are more common than WAN administration.

Zero penalty for security failures.

[Gravis Zero]

What bothers me is when they simply use an open source project and then NEVER DO A SECURITY REVIEW of the software. I mean, it's YOUR FUCKING PRODUCT so it only makes sense that YOU SHOULD SECURE IT BEFORE SELLING IT.

This is the problem with there being no penalty for security failures like this.

Re:

[iAmWaySmarterThanYou]

I've paid for very expensive full throttle security reviews from well known security outfits you've heard of. And they still missed stuff.

Life has no guarantee but death.

Re:

[Gravis Zero]

I've paid for very expensive full throttle security reviews from well known security outfits you've heard of. And they still missed stuff.

I'm not saying it must be perfect, I'm saying they should have a security review before using it.

Re:

[iAmWaySmarterThanYou]

This is slashdot so obviously I didn't read the original article. Do we know they didn't do a security review?

My last company we had a top end static source code checker, we had a dynamic checker from a different company, we did scan the open source stuff we used btw, and we paid for different well known security companies to check our code at least quarterly including human code review and prod site hack attempts black box style plus white box with our devs.

Still found new holes all the time. This shit i

Re:

[Fuck_this_place]

More like Zero Penalties for basically most things.

It took those fuckers like 3 months to get this z790 mobo working proper after launch. I sat here that whole time on a 4090/13900K wanting to RMA but knowing there was no stock to replace it with anyway and it was a firmware issue. Top o' the line garbage on day 1. No penalties.

Re:

[iAmWaySmarterThanYou]

The penalty is you'll never buy from them again and you'll tell all your friends about it and most of them won't either.

Bad work serves its own justice.

Missing patches for the ZenWiFi Routers

[veller]

Most of the ZenWiFi routers did not get patches. Only the XT8 and XT9. I own a XD6 router that was first released mid-2021. It's last patch was October last year and some the routers listed above have received 3 patches and multiple security and CVE fixes. So an ASUS router that is 2 years old got it's last firmware patch 18 months from release and then nothing. This barely passes the warranty period. Very, very unhappy.

Don't see all routers listed.

[Deal In One]

I don't see the RT-AX88U listed, and it's from the same gen as the AX86U, which is listed.

I know someone running the AX88U and they didnt get any updates when they checked. So presumably only some models from each generation are affected.

Re:

[yellow highlighter]

ax86u is listed but latest firmware is from may Version 3.0.0.4.388.23285 52.56 MB 2023/05/11

Re:

[Deal In One]

So that is already patched since May I guess.

Re:

[sethmeisterg]

Yea same with the GS-AX5400 -- latest firmware is from April. The article made it sound like it was JUST released today, which is bullshit. The fix actually went in NOVEMBER of last year: ASUS ROG STRIX GS-AX5400 Firmware version 3.0.0.4.386.50477 Version 3.0.0.4.386.50477 54.04 MB 2022/10/24 Security 1. Fixed Stored XSS vulnerability. Thanks to Milan Kyselica of IstroSec. 2 . Fixed CVE-2022-23970, CVE-2022-23971, CVE-2022-23972, CVE-2022-23973, CVE-2022-25595, CVE-2022-25596, CVE-2022-25597, CVE-2022-07

Its a trap

[Osgeld]

Make sure Asus doesn't have some funky wording on the bios download like they did with the AMD motherboards, like "this is a beta, installing it will void your warranty on your brand new 700$ motherboard cause we forgot how to regulate vcore"

Re:

[iAmWaySmarterThanYou]

Ok yes it was a trap. Right after I upgraded the ASUS deathstar came fully online and wiped out my home world.

But the firmware seems ok since installing it last night so I still have net even if my race is gone.

Lies: There are no new update (GS-AX5400)

[sethmeisterg]

Just checked the asus site -- latest firmware is from April. WTF, Asus!?

Re:

[sethmeisterg]

This stuff was already fixed last November! ASUS ROG STRIX GS-AX5400 Firmware version 3.0.0.4.386.50477 Version 3.0.0.4.386.50477 54.04 MB 2022/10/24 Security 1. Fixed Stored XSS vulnerability. Thanks to Milan Kyselica of IstroSec. 2 . Fixed CVE-2022-23970, CVE-2022-23971, CVE-2022-23972, CVE-2022-23973, CVE-2022-25595, CVE-2022-25596, CVE-2022-25597, CVE-2022-0778, CVE-2022-26376, CVE-2021-34174 3. Fixed CVE-2018-1160. Thanks to Steven Sroba.

Nothing for their older top of the line routers

[A Commentor]

They sure don't take care of some of their older customers... The GT-AC5300 which was one of their earlier top of the line routers (~$400) hasn't received a new firmware since March 2022. But my even older basic RT-AC68U had one in may which has at least some of the fixes just announced.

GT-AC530
Current Version : 3.0.0.4.386_48377-g3e428e2
Manual firmware update : Upload
The latest version : The router's current firmware is the latest version.
AiMesh Node
RT-AC68U
Current Version : 3.0.0.4.38