40 Asus RT routers open to attack through web interface vulnerabilities

If you own an Asus RT wireless router, and you haven’t updated its firmware for a while, now is the time to do it.

Asus RT router security

Researchers from Nightwatch Cybersecurity have revealed details and POC exploit code for a number of vulnerabilities affecting 40 or so router models, some of which can be exploited easily by luring users to a malicious site or through a malicious mobile or desktop application running on the same network.

The researchers found a couple of cross-site request forgery (CSRF) issues, which could allow attackers to login and change settings in the router, as well several non-CSRF ones (JSONP information disclosure with and without login, WiFi password disclosure).

The first category of issues was been assigned the CVE-2017-5891 designation, while the latter fall under CVE-2017-5892.

“All of these assume that the attacker knows the local IP address of the router,” the researchers noted, but posited that this information can be guessed or be determined via Javascript APIs like WebRTC. “For desktop and mobile applications, determination of the gateway address should be trivial to implement.”

Asus has been notified of the issues beforehand, and has fixed all except one (JSONP information disclosure without login), as it does not consider it a threat to users.

The fixes have been incorporated in version 3.0.0.4.380.7378 of the firmware, pushed out in March 2017. Users should implement that or newer versions of the firmware as soon as possible, and while they are at it, they should change their router’s default credentials (if they haven’t already).

The list of affected routers is offered in this document, but it’s not considered to be complete.

After the initial publication of the POCs, they have been tested by another tester on a Asus RT router model that was not on the list (4G-AC55U), and it has been found to be vulnerable. A firmware update for that model is currently unavailable.