Taiwanese computer hardware manufacturer Asus on Monday shipped urgent firmware updates to address vulnerabilities in its WiFi router product lines and warned users of the risk of remote code execution attacks.
In an advisory, Asus documented at least nine security defects and multiple security weaknesses that allow code execution, denial-of-service, information disclosure and authentication bypasses.
The most serious of the nine vulnerabilities, a highly critical bug with a CVSS severity rating of 9.8/10, dates back to 2018 and exposes routers to code execution attacks.
The vulnerability, tagged as CVE-2018-1160, is a memory corruption issue in Netatalk before 3.1.12. “This is due to lack of bounds checking on attacker-controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution,” according to the advisory.
The Asus firmware update also patches CVE-2022-26376 (CVSS 9.8/10), a memory corruption vulnerability in the httpd unescape functionality of Asuswrt prior to 126.96.36.199.386_48706 and Asuswrt-Merlin New Gen prior to 386.7.
“A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability,” Asus confirmed.
The company, which has struggled with security problems in the past, listed the affected WiFi routers as Asus GT6, GT-AXE16000, GT-AX11000 PRO, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000 and TUF-AX5400.
“If you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions. These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger,” the company cautioned.
Asus is also strongly recommending that its users “periodically audit both your equipment and your security procedures” to stave off a wave of malware attacks targeting router infrastructure.
“Update your router to the latest firmware. We strongly recommend that you do so as soon as new firmware is released,” the company said, adding that users should set up up separate passwords wireless network and router-administration pages