ASUS released patches for over a dozen router models on Tuesday that are each vulnerable to multiple firmware flaws that when combined give a local unauthenticated attacker the ability to execute commands as root on targeted devices.
Routers models patched by ASUS are RT-AC88U, RT-AC3100, RT-AC86U, RT-AC68U and RT-AC66U. The flaw is related to ASUS firmware AsusWRT (versions before 220.127.116.11.384_10007), used in select models of the company’s router lines.
“The attack is done from the LAN side the network, as opposed to the WAN side. In other words, as far as we know you cannot exploit this from the internet,” according to network security firm Beyond Security, that disclosed the vulnerabilities earlier this week. “This (attack) works for someone in the your LAN – even if they are on a guest network – and it may lead to remote command execution.”
The two vulnerabilities are CVE-2018-6000 and CVE-2018-5999, a configuration manipulation flaw and a server authentication bypass flaw.
“Due to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user,” wrote researcher Pedro Ribeiro who discovered the flaw.
The first flaw (CVE-2018-5999) is tied to the ASUS router firmware and takes advantage of a weakness in the AsusWRT HTTP server and the way it handles requests via “handle_request()” which allows an unauthenticated user to perform a POST request for certain actions, according to Ribeiro.
“This can (and will) be combined with other vulnerabilities to achieve remote code execution,” he said.
Ribeiro describes the second bug (CVE-2018-6000 ) as an unauthorized configuration change flaw tied to the router’s nonvolatile random access memory module (NVRAM).
“By abusing vulnerability #1 and POSTing to vpnupload.cgi, we can invoke do_vpnupload_post() in the HTTP server code, which has a vulnerability (CVE-2018-5999) that allows an attacker to set NVRAM configuration values directly from the request,” he said.
According to Ribeiro’s technical write up, the NVRAM values include the admin password. Therefore an attacker can manipulate, change or set NVRAM values such as the admin password to whatever they want.
“Once that is done, code execution is easily achieved. One option is to login to the web interface with the new password, enable SSH, reboot the router and login via SSH,” he said. SSH is shorthand for Secure Socket Shell, a network protocol that provides administrators (or attackers) a secure way to access a remote computer for remote management or manipulation.
The attack scenario can be varied, such as abusing ASUS’ own service called “infosvr” that listens on UDP broadcast port 9999 on the LAN or WLAN interface, writes Ribeiro. The infosvr services has also been a target of previous attack methods (CVE-2014-9583).
The vulnerabilities were disclosed earlier this week by network security firm Beyond Security and were part of the company’s SecuriTeam Secure Disclosure program.
According to Beyond Security, ASUS was notified of the vulnerabilities on Nov. 22. Vulnerabilities are being patched by ASUS via automatic updates sent to affected routers, according to Beyond Security.
A complete list of affected routers, according to ASUS, include:
RT-AC68U series 18.104.22.168.384_10007 , also include RT-AC68U/ 68R/ 68W/ AC1900/ 68U_White/ 68P/ 1900P/ 1900U
RT-AC66U_B1 series 22.214.171.124.384_10007, also include AC1750_B1