Router Flaw Could Disclose Sensitive Configuration, Password Information

Taiwanese electronics company Asus has released an update for one of its routers that corrects an authentication bypass vulnerability discovered in the devices over the summer.

Taiwanese electronics company Asus has released an update for one of its routers that corrects an authentication bypass vulnerability discovered in the devices over the summer.

The vulnerability is in Asus’ RT-N10E brand of routers, sold primarily throughout Europe, China and South America.

According to a note on Carnegie Mellon’s CERT Vulnerability Notes Database late Friday, the problem is that once an attacker gains access to the device, they can make their way to a certain website and learn the device configuration without entering log-in credentials.

The site, http://RouterIPAddress/qis/QIS_finish[.]htm, bills itself as the most comprehensive Router Database and is commonly used by end users to research router information and settings worldwide.

The vulnerability (CVE-2013-3610) allows attackers to view information – including the device’s administrator password – that should only be viewable to authenticated users, by being on the local area network.

Firmware update 2.0.0.25 fixes the vulnerable versions, 2.0.0.24 and earlier and also addresses two other, unrelated issues involving an “abnormal disconnection” and a problem with “IPTV connection stability after PPPoE reconnect.”

Those not interested in updating can apply a workaround: Restricting network access to the the router’s system web interface.

Suggested articles