Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Asus Patches Highly Critical WiFi Router Flaws

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.

ASUS Router Vulnerability

Taiwanese computer hardware manufacturer Asus on Monday shipped urgent firmware updates to address vulnerabilities in its WiFi router product lines and warned users of the risk of remote code execution attacks.

In an advisory, Asus documented at least nine security defects and multiple security weaknesses that allow code execution, denial-of-service, information disclosure and authentication bypasses.

The most serious of the nine vulnerabilities, a highly critical bug with a CVSS severity rating of 9.8/10, dates back to 2018 and exposes routers to code execution attacks.

The vulnerability, tagged as CVE-2018-1160, is a memory corruption issue in Netatalk before 3.1.12. “This is due to lack of bounds checking on attacker-controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution,” according to the advisory.

The Asus firmware update also patches CVE-2022-26376 (CVSS 9.8/10), a memory corruption vulnerability in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7.

“A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability,” Asus confirmed.

The company, which has struggled with security problems in the past, listed the affected WiFi routers as Asus GT6, GT-AXE16000, GT-AX11000 PRO, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000 and TUF-AX5400.

“If you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions. These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger,” the company cautioned.

Advertisement. Scroll to continue reading.

Asus is also strongly recommending that its users “periodically audit both your equipment and your security procedures” to stave off a wave of malware attacks targeting router infrastructure.

“Update your router to the latest firmware. We strongly recommend that you do so as soon as new firmware is released,” the company said, adding that users should set up up separate passwords wireless network and router-administration pages

Related: Supply-Chain Attack Used to Install Backdoors on ASUS Computers

Related: Severe Vulnerabilities Allow Hacking of Asus Gaming Router

Related: Chinese UEFI Rootkit Found on Gigabyte and Asus Motherboards

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights