Asus home routers are open to a number of potential remote attacks because of vulnerabilities in the AiCloud service bundled with the hardware.
Security researcher Kyle Lovett posted on Sunday to the Full Disclosure mailing list today a follow up to a June disclosure of a directory traversal bug in the RT-N66U routers.
Lovett said Asus has informed him they are working on a fix, yet he said they have not warned customers, leading to him releasing further details this week.
The directory traversal bug enables an attacker to remotely access to files that control services on either side of the router, Lovett said. Key files, he said, are also exposed.
The following models are vulnerable:
- RT-AC66R Dual-Band Wireless-AC1750 Gigabit Router
- RT-AC66U Dual-Band Wireless-AC1750 Gigabit Router
- RT-N66R Dual-Band Wireless-N900 Gigabit Router with 4-Port Ethernet Switch
- RT-N66U Dual-Band Wireless-N900 Gigabit Router
- RT-AC56U Dual-Band Wireless-AC1200 Gigabit Router
- RT-N56R Dual-Band Wireless-AC1200 Gigabit Router
- RT-N56U Dual-Band Wireless-AC1200 Gigabit Router
- RT-N14U Wireless-N300 Cloud Router
- RT-N16 Wireless-N300 Gigabit Router
- RT-N16R Wireless-N300 Gigabit Router
“Vulnerabilities – Due in large part to an exposed $root share on the NVRAM for Samba service, which was discovered in March of this year by another researcher, on almost all of the above models that have enabled AiCloud service, the end users will find themselves exposed to multiple methods of attack and several dangerous remote exploits,” Lovett wrote. The Linux-based routers also expose credentials in clear text.
Once an attacker enters legitimate credentials on the RT-N16 and N16R routers, they are able to control the admin console on the LAN side and eventually control traffic moving through the local network, sniff packets or crash systems.
He recommends disabling all UPnP services until a patch is available from ASUS, and remove all remote access to the router for administration. Default passwords for the router and AiCloud services should also be changed.