ASUS Patches RT Router Vulnerabilities

ASUS updated the firmware in March of a number of its RT routers to address vulnerabilities found within the device’s native web interface.

A recent ASUS firmware update addressed a number of vulnerabilities in 30 models of its popular RT routers.

The flaws were privately disclosed by researchers at Baltimore consultancy Nightwatch Cybersecurity, and were patched starting in March, with 10 updates added Wednesday. Users should ensure their firmware is up to date and running on version 3.0.0.4.380.7378.

The vulnerabilities were found in a native web interface on the devices and allow an attacker on the same local network to change router settings, steal Wi-Fi passwords or leak system information.

ASUS addressed all but one of the disclosed vulnerabilities, an issue found in two JSONP endpoints that leak some information about the router without the need for the attacker to be logged in. Nightwatch’s Yakov Shafranovich said ASUS did not consider this a security issue.

“It is an information disclosure issue which can be used to detect if a router is an ASUS router, but cannot be used as an attack on its own,” Shafranovich said. “We disagree because this can be used to facilitate an attack; it would be the first step to detect if the router is an ASUS router.”

Shafranovich said that two cross-site request forgery vulnerabilities were the most critical among the disclosures. One was found on the router’s login page and the other within the interface that saves settings, both of which lacked CSRF protection. An attacker could lure a victim to a site hosting malicious JavaScript and carry out a CSRF attack to login to the router. If the user has failed to change the default password on the device, this facilitates the attack even further.

“Fool a user that is on a network using an Asus router into visiting a malicious page; the JavaScript code on that page that can do the rest,” Shafranovich said.

Nightwatch also found a separate JSONP information disclosure vulnerability that requires authentication. An attacker can use these to learn information through the router, including network information, surrounding access points, a map of devices on the local network, external IP addresses, WebDAV information and more.

The researchers also found an XML endpoint in the router that reveals the router’s Wi-Fi- password.

“But to fully exploit this issue, it would require a mobile or desktop application running on the local network since XML cannot be loaded cross origin in the browser,” Nightwatch said in its advisory.

The researchers said that exploits targeting the JSONP issues would load the JSONP endpoints via SCRIPT tags, while the XML endpoint issue could be exploited through a malicious application.

“All of these assume that the attacker knows the local IP address of the router,” the researchers said. “This could probably be guessed or be determined via Javascript APIs like WebRTC. For desktop and mobile applications, determination of the gateway address should be trivial to implement.”

Nightwatch also published a list of affected models:

Added Wednesday:

  • 4G-AC55U
  • RT-AC52U B1
  • RT-AC53
  • RT-AC68UF
  • RT-AC88U
  • RT-AC1200
  • RT-AC1750
  • RT-N16
  • RT-N300
  • RT-N600

Originally updated in March:

  • RT-AC51U
  • RT-AC53U
  • RT-AC55U
  • RT-AC56R
  • RT-AC56S
  • RT-AC56U
  • RT-AC66U
  • RT-AC68U
  • RT-AC66R
  • RT-AC66U
  • RT-AC66W
  • RT-AC68W
  • RT-AC68P
  • RT-AC68R
  • RT-AC68U
  • RT-AC87R
  • RT-AC87U
  • RT-AC1900P
  • RT-AC3100
  • RT-AC3200
  • RT-AC5300
  • RT-N11P
  • RT-N12 (D1 version only)
  • RT-N12+
  • RT-N12E
  • RT-N18U
  • RT-N56U
  • RT-N66R
  • RT-N66U (B1 version only)
  • RT-N66W

Suggested articles

Discussion

  • Nymwitz on

    Interesting that owners aren't notified, even though they register. This leads one to the thought of hackable registration data.
  • Janne on

    RT-N56U B1 still runs the initial firmware 3.0.0.4.378_5291 from 2015/05/19. No patch newer firmware available!
  • Liam on

    I sensed some truly great effort this year and previous year by ASUS to design a router interface that was easy to navigate - control - and update. After making changes to the configuration settings, a fast recycle due to the better hardware was also noticed. I was truly disappointed when I called customer service to ask a simple question... "Has a patch been issued to fix the WPA2 vulnerability?" I followed the lead on creating an account, profile, and providing all my product and contact information - but was told by the CSR to "wait for the firmware update". "How will I know when it's ready?" I asked... and the reply was "check the web site". WTF! Customers who bother to set up their profile and divulge their product and contact info should not have to do anything like this. The company "ASUS" should tell them when it's ready via e-mail or phone. They have all the info... WTF. It is also really strange (negligent even) that there has been no mention of this vulnerability and the mitigation steps ASUS is taking to secure their customers. This is bad business and so easy (simple) to do - just communicate using the collected contact info... then at least you have done all that can be done other than permanently fix the issue via a patch. Please don't make me sorry that I am an ASUS customer - there are so many other choices out there that I did not choose. -Liam
    • Liam on

      For the record AC3200

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.