Cyber Security Threat Summary:
Yesterday, ASUS released firmware updates to address vulnerabilities impacting several of its router models, warning customers to update their devices or restrict WAN access until they’re secure. In total, 9 vulnerabilities were addressed, some of which have been rated high and critical in severity. Most severe of the flaws include CVE-2022-26376 and CVE-2018-1160, which have both received a 9.8 score out of 10 on the CVSS scale. CVE-2022-26376 relates to a critical memory corruption weakness in the Asuswrt firmware used in Asus routers. Successful exploitation of this flaw could enable a threat actor to trigger a denial of service or gain code execution. The second critical flaw (CVE-2018-1160) is a 5-year-old out-of-bounds Netatalk weakness which is caused due to a lack of bounds checking on attacker-controlled data. An attacker could exploit this flaw to remotely achieve arbitrary code execution on impacted devices without authentication.

Several other vulnerabilities (CVE-2023-28702, CVE-2023-28703, CVE-2023-31195, CVE-2022-46871, CVE-2022-38105, CVE-2022-35401, CVE-2022-38393) were also addressed which relate to a case of denial of service, cross-site scripting, information disclosure, etc.

Below is a list of the impacted device models which have all received security updates:

GT6, GT-AXE16000, GT-AX11000 PRO, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400.

Security Officer Comments:
Routers frequently emerge as a prime target for cybercriminals due to the prevailing tendency of leaving these devices unpatched when security updates addressing new vulnerabilities are introduced. Consequently, this creates an opportunity for threat actors to effortlessly compromise not only these routers but also other hosts interconnected within the network.

In the past, ASUS routers have been the target of botnets. For instance, in March 2022, Russian threat actors (Sandworm) launched Cyclops Blink malware attacks against multiple ASUS routers with the goal of gaining persistence on the devices and using them to achieve remote access to compromised networks. Although U.S. and U.K. cybersecurity agencies were able to disrupt the Cyclops Blink botnet on time, these compromised devices could have been used to launch denial-of-service attacks, effectively taking down critical internet-facing services.

Suggested Correction(s):
Organizations should review the list of impacted router models and apply the latest firmware as soon as possible to prevent potential attacks. In general, ASUS also recommends creating distinct passwords for the wireless network and router administration pages of at least eight characters (combining uppercase letters, numbers, and symbols) and avoiding using the same password for multiple devices or services.

Link(s):
https://www.bleepingcomputer.com/news/security/asus-urges-customers-to-patch-critical-router-vulnerabilities
https://www.asus.com/content/asus-product-security-advisory/