Taiwanese company ASUS released a firmware update on Monday that addresses nine security bugs and more affecting various router models.
Of the nine security flaws, two are rated Critical and six are rated High severity. One vulnerability is currently awaiting analysis.
The list of affected products is GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO , RT.・AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, TUF-AX5400.
Topping the list of fixes are CVE-2018-1160 and CVE-2022-26376, both rated at 9.8 out of 10 on the CVSS scoring system.
CVE-2018-1160 relates to an out-of-bounds write bug that existed five years prior to Netatalk version 3.1.12 and could allow an unauthenticated, remote attacker to execute arbitrary code. I have.
CVE-2022-26376 has been described as a memory corruption vulnerability in Asuswrt firmware that can be triggered by specially crafted HTTP requests.
The other seven flaws are:
- CVE-2022-35401 (CVSS Score: 8.1) – An authentication bypass vulnerability that could allow an attacker to send a malicious HTTP request to gain full administrative access to the device.
- CVE-2022-38105 (CVSS score: 7.5) – An information disclosure vulnerability that can be exploited to access sensitive information by sending specially crafted network packets.
- CVE-2022-38393 (CVSS score: 7.5) – A denial of service (DoS) vulnerability that can be caused by sending specially crafted network packets.
- CVE-2022-46871 (CVSS score: 8.8) – Use of outdated libusrsctp library which may expose the target device to other attacks.
- CVE-2023-28702 (CVSS score: 8.8) – Command injection flaw. It can be exploited by a local attacker to execute arbitrary system commands, suspend the system, or terminate services.
- CVE-2023-28703 (CVSS score: 7.2) – Stack-based buffer overflow vulnerability. It can be exploited by an attacker with administrative privileges to execute arbitrary system commands, suspend the system, or terminate services.
- CVE-2023-31195 (CVSS score: N/A) – A man-in-the-middle (AitM) flaw that could lead to hijacking a user’s session.
ASUS recommends users to apply the latest updates as soon as possible to reduce security risks. As a workaround, users are advised to disable services accessible from the WAN side to avoid possible unwanted intrusions.
“These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, [and] port triggering,” the company said, urging customers to audit their devices regularly and set separate passwords for their wireless network and router management pages.
