Asus releases firmware updates for routers to address critical security issues
Asus has released new firmware for a wide range of its routers that address nine different security issues, some of which rated critical. The company encourages customers to install the firmware update immediately on their devices to protect them against potential attacks. Customers may also modify settings to mitigate potential attacks.
The security advisory website on Asus' website lists the following affected routers: GT6/GT-AXE16000/GT-AX11000 PRO/GT-AXE11000/GT-AX6000/GT-AX11000/GS-AX5400/GS-AX3000/XT9/XT8/XT8 V2/RT-AX86U PRO/RT-AX86U/RT-AX86S/RT-AX82U/RT-AX58U/RT-AX3000/TUF-AX6000/TUF-AX5400.
The support page offers links to the firmware download pages for each of the affected routers of the company. Asus recommends that customers install the firmware immediately on their devices. Some firmware download pages appear to have not been updated yet by the company with the new releases. This appears to be the case for the Rog Rapture GT-AXE16000, as its latest firmware dates back to April 19th, 2023. Most of the other firmware download pages lists the new firmware, release date June 20, already though. A support page explains how administrators may update the firmware of Asus routers.
Asus notes that the firmware update addresses the following nine security CVE's:
- CVE-2023-28702 (high)
- CVE-2023-28703 (high)
- CVE-2023-31195 (not rated)
- CVE-2022-46871 (high)
- CVE-2022-38105 (high)
- CVE-2022-35401 (critical)
- An authentication bypass vulnerability exists in the get_IFTTTTtoken.cgi functionality of Asus RT-AX82U 3.0.0.4.386_49674-ge182230. A specially-crafted HTTP request can lead to full administrative access to the device. An attacker would need to send a series of HTTP requests to exploit this vulnerability.
- CVE-2018-1160 (critical)
- Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.
- CVE-2022-38393 (high)
- CVE-2022-26376 (critical)
Only three of the security issues are from 2023. The remaining security issues are from 2022, except for one, which is from 2018. Three of the vulnerabilities have the highest severity rating of critical, five of the remaining vulnerabilities have a severity rating of high, and one has not been rated yet.
Asus lists the following security fixes in particular that the new firmware update makes:
- Fixed DoS vulnerabilities in firewall configuration pages.
- Fixed DoS vulnerabilities in httpd.
- Fixed information disclosure vulnerability.
- Fixed null pointer dereference vulnerabilities.
- Fixed the cfg server vulnerability.
- Fixed the vulnerability in the logmessage function.
- Fixed Client DOM Stored XSS
- Fixed HTTP response splitting vulnerability
- Fixed status page HTML vulnerability.
- Fixed HTTP response splitting vulnerability.
- Fixed Samba related vulerabilities.
- Fixed Open redirect vulnerability.
- Fixed token authentication security issues.
- Fixed security issues on the status page.
System administrators who can't install the firmware updates at this point may disable services "accessible from the WAN side" to protect devices against attacks. These WAN side services include "remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger" according to Asus.
System administrators may want to update the firmware of the router as soon as possible or apply the mitigations to protect devices against potential attacks.
Just last month, Asus confirmed an issue with some of its routers that caused connectivity issues for users.
Now You: when was the last time you updated your router's firmware?
The Asus router update for my RT-AX3000 router simply refuses to install no matter what browser I use. Downloaded firmware update from the Asus Download Center and attempted to manually upload. Displays, “Applying Settings, Please Wait” and that is all. Have left it on that for an hour and the % upload bar fails to appear. No upload whatsoever happens. I have been lucky that a router reboot gets it out of the upload screen and back to a working router and this hasn’t bricked my router. Will not attempt it by clicking on the “Firmware Upgrade” button at this time.
So older routers made by Asus do not have the vulnerabilities? I have a RT-N66R that has no updates for a few years now.
My Old Dark-Knight RT-N66U still works great.
2 days ago I hooked up a 10 year old “NetGear Router”
and it works just as good in a low data ‘wilderness’ environment.
It’s Not Piholed like the ASUS but I just directed the DNS to Quad9
and it’s running just as fast and Quiet with internal blocklists in the OS
Quad9 is by far the best free DNS option by now to increase security.
Are these routers updates applied automatically? If don’t, how many users won’t update their routers? I still remember my mother’s former ASUS that broke itself applying a BIOS update with no success at all. I dislike ASUS so much.
Depends on whether the setting for “Auto Firmware Upgrade” is enabled. You can check by going to Advanced Settings > Administration > Firmware Upgrade. Here’s the [user manual](https://dlcdnets.asus.com/pub/ASUS/wireless/RT-AX82U/E17523_RT-AX82U_UM_web.pdf?model=RT-AX82U) for one of the affected routers for reference (see page 91 for firmware). You can also find instructions for firmware restoration in the doc.