Asus, a popular manufacturer of wireless routers, has recently patched three critical vulnerabilities that could allow attackers to execute arbitrary code on the devices and compromise the network security. The flaws affect the Asus RT-AX55, RT-AX56U_V2, and RT-AC86U models and have a severity score of 9.8 out of 10.
The vulnerabilities were disclosed by the Taiwan National Computer Emergency Response Team (TWNCERT) on September 6, 2023. They are all related to format string errors in different API modules of the router firmware. A format string error occurs when a program does not properly validate the input strings that are used to format the output. This can lead to memory corruption, information leakage, or code execution.
The three vulnerabilities are:
- CVE-2023-39238: Affects the set_iperf3_svr.cgi API module, which is used to set up an iperf3 server on the router for network performance testing. An attacker can send a specially crafted request to this module and execute code as the root user of the router.
- CVE-2023-39239: Affects the general configuration functions of the router, such as setting the device name, time zone, or password. An attacker can exploit this flaw by sending a malicious request to the apply.cgi API module and execute code or cause a denial-of-service condition.
- CVE-2023-39240: Affects the set_iperf3_cli.cgi API module, which is used to set up an iperf3 client on the router for network performance testing. An attacker can exploit this flaw by sending a malicious request to this module and execute code as the root user of the router.
These vulnerabilities are especially dangerous because they do not require authentication and can be exploited remotely over the internet or the local network. An attacker who gains control of the router can access all the devices connected to it, intercept or modify the network traffic, install malware, or launch further attacks.
Asus has released firmware updates for the affected routers that fix these issues. Users are strongly advised to update their routers as soon as possible to prevent potential attacks. The firmware versions that contain the patches are:
- RT-AX55: 3.0.0.4.386_50460 or later
- RT-AX56U_V2: 3.0.0.4.386_50460 or later
- RT-AC86U: 3.0.0.4_386_51529 or later
Users can download the firmware updates from the Asus website or use the built-in firmware upgrade feature in the router web interface. To enable automatic firmware updates, users can go to Administration > Firmware Upgrade and turn on the Auto Firmware Upgrade option.
Asus routers are not the only ones that have been affected by critical security flaws recently. A new zero-day vulnerability in the Log4j Java library, which is widely used by many web applications and servers, has been discovered and exploited by hackers. The vulnerability, tracked as CVE-2021-44228, allows remote code execution by sending a specially crafted string to a vulnerable application. Users are advised to update their Log4j library to version 2.15.0 or later or apply other mitigations as soon as possible.
Network security is essential for protecting personal data, online privacy, and digital assets from cyber threats. Users should always keep their devices updated with the latest security patches and use strong passwords and encryption to secure their network connections.