Asus Patches Critical WiFi Router Issues

Asus, a Taiwanese computer hardware manufacturer, has released urgent firmware updates to address multiple vulnerabilities in its WiFi router product lines.

The vulnerabilities include a highly critical bug dating back to 2018 that exposes routers to code execution attacks, prompting the company to warn users about the risk of remote code execution attacks:

• CVE-2018-1160 9CVSS 9.8/10), Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.

  • Netatalk is a software component designed to facilitate Apple-style networking. However, it is important to note that an attacker does not necessarily require a Macintosh computer or Apple software to exploit vulnerabilities in Netatalk. The successful exploitation of these vulnerabilities would involve intentionally manipulating network data in a specific manner. Therefore, even legitimate Netatalk client software is unlikely to trigger the vulnerabilities. Instead, an attacker would utilize custom-created code and could potentially launch an attack from any operating system on any computer connected to a network.

• CVE-2022-26376 (CVSS 9.8/10), a memory corruption vulnerability in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7.

  • HTTP escaping and unescaping play a crucial role when dealing with URLs that contain characters which cannot be directly represented in the URL's text. For instance, URLs cannot include spaces to ensure they remain as a single, continuous block of readable text. Thus, if there is a need to reference a username or a file that contains a space, the space character must be escaped. This involves converting the space character into a percent sign followed by its corresponding ASCII code in hexadecimal (0x20, or 32 in decimal).

    Similarly, other characters that have special significance in URLs, such as colon (":"), slash ("/"), question mark ("?"), and ampersand ("&"), also require escaping. These characters are replaced with a percent sign ("%") followed by their respective ASCII codes (e.g., colon becomes "%3A," slash becomes "%2F," question mark becomes "%3F," and ampersand becomes "%26").

    When a web server receives a request, any escaped characters in the URL are unescaped. This involves converting the percent-encoded representations back into their original text characters

The reason for the delay in ASUS patching these specific bugs is not explicitly stated in the company's official advisory. However, handling HTTP escape codes is an essential aspect of any software that listens to and utilizes web URLs, which suggests that addressing these bugs may have involved complex technical considerations or required a significant amount of time and effort.

Impacted models by this vulnerability as reported by Asus are

• Asus GT6
• GT-AXE16000
• GT-AX11000 PRO
• GT-AX6000
• GT-AX11000
• GS-AX5400
• GS-AX3000
• XT9,
• XT8,
• XT8 V2,
• RT-AX86U PRO,
• RT-AX86U,
• RT-AX86S,
• RT-AX82U,
• RT-AX58U,
• RT-AX3000,
• TUF-AX6000
• TUF-AX5400.

Asus adviss users to disable certain services accessible from the WAN side if they choose not to install the firmware updates: 

remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger

Asus is also recommending periodic security audits and separate passwords for wireless networks and router administration pages.