A recent ASUS firmware update addressed a number of vulnerabilities in 30 models of its popular RT routers.
The flaws were privately disclosed by researchers at Baltimore consultancy Nightwatch Cybersecurity, and were patched starting in March, with 10 updates added Wednesday. Users should ensure their firmware is up to date and running on version 220.127.116.11.380.7378.
The vulnerabilities were found in a native web interface on the devices and allow an attacker on the same local network to change router settings, steal Wi-Fi passwords or leak system information.
ASUS addressed all but one of the disclosed vulnerabilities, an issue found in two JSONP endpoints that leak some information about the router without the need for the attacker to be logged in. Nightwatch’s Yakov Shafranovich said ASUS did not consider this a security issue.
“It is an information disclosure issue which can be used to detect if a router is an ASUS router, but cannot be used as an attack on its own,” Shafranovich said. “We disagree because this can be used to facilitate an attack; it would be the first step to detect if the router is an ASUS router.”
Nightwatch also found a separate JSONP information disclosure vulnerability that requires authentication. An attacker can use these to learn information through the router, including network information, surrounding access points, a map of devices on the local network, external IP addresses, WebDAV information and more.
The researchers also found an XML endpoint in the router that reveals the router’s Wi-Fi- password.
“But to fully exploit this issue, it would require a mobile or desktop application running on the local network since XML cannot be loaded cross origin in the browser,” Nightwatch said in its advisory.
The researchers said that exploits targeting the JSONP issues would load the JSONP endpoints via SCRIPT tags, while the XML endpoint issue could be exploited through a malicious application.
Nightwatch also published a list of affected models:
- RT-AC52U B1
Originally updated in March:
- RT-N12 (D1 version only)
- RT-N66U (B1 version only)