A pair of flaws in ASUS routers for the home could allow an attacker to compromise the devices – and eavesdrop on all of the traffic and data that flows through them.
The bugs are specifically found in the RT-AC1900P whole-home Wi-Fi model, within the router’s firmware update functionality. Originally uncovered by Trustwave, ASUS has issued patches for the bugs, and owners are urged to apply the updates as soon as they can.
The first issue (CVE-2020-15498) stems from a lack of certificate checking.
The router uses GNU Wget to fetch firmware updates from ASUS servers. It’s possible to log in via SSH and use the Linux/Unix “grep” command to search through the filesystem for a specific string that indicates that the vulnerability is present: “–no-check-certificate.”
In vulnerable versions of the router, the files containing that string are shell scripts that perform downloads from the ASUS update servers, according to Trustwave’s advisory, issued on Thursday. This string indicates that there’s no certificate checking, so an attacker could use untrusted (forged) certificates to force the install of malicious files on the targeted device.
An attacker would need to be connected to the vulnerable router to perform a man in the middle attack (MITM), which would allow that person complete access to all traffic going through the device.
The latest firmware eliminates the bug by not using the Wget option anymore.
The second bug (CVE-2020-15499) is a cross-site scripting (XSS) vulnerability in the Web Management interface related to firmware updates, according to Trustwave.
“The release notes page did not properly escape the contents of the page before rendering it to the user,” explained the firm. “This means that a legitimate administrator could be attacked by a malicious party using the first MITM finding and chaining it with arbitrary JavaScript code execution.”
ASUS fixed this in the latest firmware so that the release notes page no longer renders arbitrary contents verbatim.
“Since routers like this one typically define the full perimeter of a network, attacks targeting them can potentially affect all traffic in and out of your network,” warned Trustwave.
ASUS patched the issues in firmware version 3.0.0.4.385_20253.
The bug disclosure comes less than two weeks after a bombshell security review of 127 popular home routers found most contained at least one critical security flaw, according to researchers. Not only did all of the routers the researchers examined have flaws, many “are affected by hundreds of known vulnerabilities,” the researchers said.
On average, the routers analyzed–—by vendors such as D-Link, Netgear, ASUS, Linksys, TP-Link and Zyxel—were affected by 53 critical-rated vulnerabilities (CVE), with even the most “secure” device of the bunch having 21 CVEs, according to the report. Researchers did not list the specific vulnerabilities.
