There is a serious security vulnerability in the firmware of many ASUS routers that allows unauthenticated command execution. The bug may be present in all current versions of the router firmware, and there is an exploit published for it, as well.
Security researchers Joshua Drake posted an advisory on the vulnerability on Thursday, detailing the bug and saying that the best defense likely is to remove the remote command execution function from the vulnerable service. The culprit is a service called infosvr, which is designed to help admins find and configure routers on a network segment.
“Several models of ASUS’s routers include a service called infosvr that listens on UDP broadcast port 9999 on the LAN interface. It’s used by one of ASUS’s tools to ease router configuration by automatically locating routers on the local subnet. This service runs with root privileges and contains an unauthenticated command execution vulnerability,” Drake wrote in his advisory.
The vulnerability is thought to affect all versions of the firmware in ASUS’s routers, and Drake said in the advisory that the bug lies in a block of code that is related to the processPacket function.
“The block starts off by excluding a couple of OpCode values, which presumably do not require authentication by design. Then, it calls the memcpy and suspiciously checks the return value against zero. This is highly indicative that the author intended to use memcmp instead. That said, even if this check was implemented properly, knowing the device’s MAC address is hardly sufficient authentication,” Drake.
The most effective workaround for the vulnerability, Drake said, is to disable the infosvr process, which can be done by killing the process each time the router is booted. He also recommended that the remote command function be removed from the firmware altogether.
“Remove the remote command execution functionality from this service. Even if it were guarded with strong authentication, broadcasting a password to the entire LAN isn’t really something to be desired. If command execution is truly desired it should be provided via SSH or similar secure mechanism,” he said.
