ASUS Product Security Advisory - 12/03/2024 ASUS Router Improper Input Validation

[bennor]

Asus posted a notice on improper router input validation for CVE-2024-11985 with firmware updates for RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX57, RT-AX58U, RT-AX58U_V2.

12/03/2024 ASUS Router Improper Input Validation
ASUS has released a new firmware update for RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX57, RT-AX58U, RT-AX58U_V2

We advise you to check your equipment and security procedures regularly, as this will make you safer. As a user of an ASUS router, we recommend doing the following steps:
• Update your router with the newest firmware. We encourage you to do this when new firmware becomes available. You can find the newest firmware on the ASUS support page at
https://www.asus.com/support/ or the relevant product page at
https://www.asus.com/Networking/. ASUS has provided a link to new firmware for some routers at the end of this notice.
• Use different passwords for your wireless network and router-administration page. Use passwords that have at least 10 characters, with a mix of capital letters, numbers and symbols. Do not use the same password for more than one device or service.

If you are not able to update the firmware quickly, please make sure that both your login and WiFi passwords are strong. It is recommended (1) disable any services that can be reached from the internet, such as remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger. (2) passwords have more than 10 characters with a variety of capitalized letters, numbers, and special characters to increase the security level of your devices. Do not use passwords with consecutive numbers or letters, such as 1234567890, abcdefghij, or qwertyuiop."
For further help with router setup and an introduction to network security, please visit
How to update the firmware of your router to the latest version?
https://www.asus.com/support/FAQ/1039292
Please update the firmware for the listed models to the version in the table or newer.

Model	Firmware version	Download link	CVE
RT-AX55	3.0.0.4.386_52332	https://www.asus.com/supportonly/rt-ax55/helpdesk_bios	CVE-2024-11985
RT-AX55 V2	3.0.0.4.386_52332	https://www.asus.com/supportonly/rt-ax55/helpdesk_bios
RT-AX56U	3.0.0.4.386_51712	https://www.asus.com/networking-iot...rs/rt-ax56u/helpdesk_bios?model2Name=RT-AX56U
RT-AX56U_V2	3.0.0.4.386_52332	https://www.asus.com.cn/supportonly/rt-ax55/helpdesk_bios/
RT-AX57	3.0.0.4.386_52332	https://www.asus.com/supportonly/rt-ax57/helpdesk_bios
RT-AX58U	3.0.0.4_388_25127	https://www.asus.com/supportonly/rt-ax58u/helpdesk_bios
RT-AX58U V2	3.0.0.4_388_25127	https://www.asus.com/supportonly/rt-ax58u/helpdesk_bios

 

[John Fitzgerald]

@bennor

I checked the RT-AX58U download, the newest is: ASUS RT-AX58U Firmware version 3.0.0.4.388_25139,
Version 3.0.0.4.388_25139, 95.1 MB, 2024/11/07

RT-AX58U - Support

www.asus.com

The one referenced in your link is the old unpatched CN Botnet expossed one.
The link to the page is correct but the unpatched # should not be used.

Thanks for the post.

 

[bennor]

The one referenced in your link is the old unpatched CN Botnet expossed one.

It should be noted the Asus information posted does state to use the listed firmware's OR newer for the vulnerability they mention in their notice.

Please update the firmware for the listed models to the version in the table or newer.

And this:

Update your router with the newest firmware

One should use the latest firmware where possible. Asus should have done a better job conveying or highlighting that one should use the latest firmware.