Critical remote execution code vulnerabilities in ASUS routers

published: Sept. 5, 2023

Take action: This is not a drill. If you have an ASUS router, first immediately disable remote administration (exposing the Web Admin Access to the WAN/internet interface of the router). After that patch your ASUS router to the latest version of firmware.


Learn More

ASUS routers are exposed to a critical security concern due to the presence of three high-risk remote code execution vulnerabilities. These vulnerabilities affect three specific ASUS router models:

  • ASUS RT-AX55, firmware 3.0.0.4.386_50460
  • RT-AX56U_V2, firmware 3.0.0.4.386_50460
  • RT-AC86U, firmware 3.0.0.4_386_51529

These routers are highly popular and well-regarded within the consumer networking market, often sought after by gamers and individuals with demanding performance requirements. However, despite their popularity, they have been found to be susceptible to serious security flaws. These vulnerabilities could potentially enable malicious actors to gain unauthorized access to these routers and take control of them.

All three vulnerabilities are scored with 9.8 our of possible 10 by the Common Vulnerability Scoring System (CVSS) v3.1. These vulnerabilities are categorized as format string vulnerabilities, a type of security issue that can be exploited remotely and without the need for authentication.

An example of format string vulnerability

Format strings are used to define the format for displaying or parsing data. They contain placeholders, often represented by % symbols, which are replaced with actual data during runtime. For example, in the programming language C the printf function, you might have a format string like this:

 

scanf("%s", input);
printf(input); 

In this code, the program reads a user's input using scanf and then directly passes it to printf without any format string. If a user provides a format specifier in the input, they can manipulate the program's behavior. For instance, an attacker might input:

%08x %08x %08x %08x

this input will create a command

printf ("%08x %08x %08x %08x");

This will effectivelly fetch 4 values from the memory stack and display them as 8-digits padded hex numbers. We just pulled four values from memory which we shouldn't have access to.

As seen in the example, to exploit these vulnerabilities, attackers would craft specially designed input and send it to the vulnerable ASUS routers. In this particular case, they would target specific administrative Application Programming Interface (API) functions on the routers.

The vulnerabilities are as follows:

  • CVE-2023-39238: This vulnerability is a result of inadequate verification of the input format string in the iperf-related API module 'ser_iperf3_svr.cgi.'
  • CVE-2023-39239: This flaw arises from insufficient verification of the input format string within the general setting function's API.
  • CVE-2023-39240: This vulnerability is attributed to the lack of proper verification of the input format string in the iperf-related API module 'ser_iperf3_cli.cgi.'

To address these critical security concerns, ASUS has released firmware updates for affected router models. Users are strongly urged to apply the following firmware updates:

  • RT-AX55: Update to firmware version 3.0.0.4.386_51948 or a later version.
  • RT-AX56U_V2: Update to firmware version 3.0.0.4.386_51948 or a later version.
  • RT-AC86U: Update to firmware version 3.0.0.4.386_51915 or a later version.

In addition to updating firmware, the users should disable the remote administration (WAN Web Access) feature, so that the attackers can't attack the web admin console.

Critical remote execution code vulnerabilities in ASUS routers