ASUS RT wireless router owners, beware! If you haven’t updated your router’s firmware, you should do it immediately. Nightwatch Cybersecurity researchers have found vulnerabilities, CVE-2017-5891 and CVE-2017-5892, in these routers.
The team has revealed the POC exploit code for the flaws in question, which affect at least 40 router models. Some of the vulnerabilities could be exploited quite easily by tricking users into visiting a malicious site or via malicious applications running on the same network.
Related: Netgear Routers Vulnerable to Remote Access Attacks
More about CVE-2017-5891 and CVE-2017-5892
CVE-2017-5891: ASUS RT-AC* and RT-N* devices with firmware before 3.0.0.4.380.7378 have Login Page CSRF and Save Settings CSRF.
CVE-2017-5892: ASUS RT-AC* and RT-N* devices with firmware before 3.0.0.4.380.7378 allow JSONP Information Disclosure such as a network map.
As visible, the flaws are cross-site request forgery and could allow attackers to login and alter router settings. The non-CSRF issues, on the other hand, could lead to information disclosure.
Most of these issues have been fixed by Asus in the March 2017 firmware update under v3.0.0.4.380.7378. One issue (JSONP information disclosure) remains unfixed since the vendor doesn’t consider it to be a security threat, the researchers explained.
Before the researchers went on announcing the issues to the public, they notified the vendor.
Here is the list of affected routers, but keep it in mind it may not be exhaustive:
Affected models include the following ASUS routers and is not exhaustive:
- 4G-AC55U – [ADDED 05/10/2017: As reported by a commenter below, 4G-AC55U is also affected but has not patches available]
- RT-AC51U
- RT-AC52U B1 – [ADDED 05/10/2017 based on Asus Firmware updates]
- RT-AC53 – [ADDED 05/10/2017 based on Asus Firmware updates]
- RT-AC53U
- RT-AC55U
- RT-AC56R
- RT-AC56S
- RT-AC56U
- RT-AC66U
- RT-AC68U
- RT-AC68UF – [ADDED 05/10/2017 based on Asus Firmware updates]
- RT-AC66R
- RT-AC66U
- RT-AC66W
- RT-AC68W
- RT-AC68P
- RT-AC68R
- RT-AC68U
- RT-AC87R
- RT-AC87U
- RT-AC88U – [ADDED 05/10/2017 based on Asus Firmware updates]
- RT-AC1200 – [ADDED 05/10/2017 based on Asus Firmware updates]
- RT-AC1750 – [ADDED 05/10/2017 based on Asus Firmware updates]
- RT-AC1900P
- RT-AC3100
- RT-AC3200
- RT-AC5300
- RT-N11P
- RT-N12 (D1 version only)
- RT-N12+
- RT-N12E
- RT-N16 – [ADDED 05/10/2017 based on Asus Firmware updates]
- RT-N18U
- RT-N56U
- RT-N66R
- RT-N66U (B1 version only)
- RT-N66W
- RT-N300 – [ADDED 05/10/2017 based on Asus Firmware updates]
- RT-N600 – [ADDED 05/10/2017 based on Asus Firmware updates]