ASUS urges customers to patch critical router vulnerabilities

[XIII]

“ASUS urges customers to patch critical router vulnerabilities”:

ASUS urges customers to patch critical router vulnerabilities

ASUS has released new firmware with cumulative security updates that address vulnerabilities in multiple router models, warning customers to immediately update their devices or restrict WAN access until they're secured.

www.bleepingcomputer.com

(Was this already posted somewhere?)

“The list of impacted devices includes the following models: GT6, GT-AXE16000, GT-AX11000 PRO, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400.”

"Please note, if you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions. These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger," ASUS warned in a security advisory published today.

 

[Deleted member 84281]

And a good reason people should be using Stock Asus firmware at least till Merlin can catch up. His latest does not contain any of these security fixes.

 

[Mogsy]

And a good reason people should be using Stock Asus firmware at least till Merlin can catch up. His latest does not contain any of these security fixes.

I wouldnt be too worried. I have none of WAN related access enabled. Maybe people that have should take precautions.

 

[eightiescalling]

And a good reason people should be using Stock Asus firmware at least till Merlin can catch up. His latest does not contain any of these security fixes.

Not quite true - one of the listed CVEs specifically refers to versions prior to Asus Merlin 386.7 so that one is covered.

I am curious about the other though. Does netatalk not exist in the 386 build or is this another sign of the creep towards the remaining AC models being EOLd?

 

[ColinTaylor]

His latest does not contain any of these security fixes.

I've only looked at the RT-AX86U notes but almost all of those CVE's (including the two mentioned by Bleeping Computer) were fixed by Asus and Merlin last year! As for the other fixes, well that looks like a normal security update.

 

[Paliv]

And a good reason people should be using Stock Asus firmware at least till Merlin can catch up. His latest does not contain any of these security fixes.

Seems @ColinTaylor is into something. Merlin has actually been safer for a while… or bleeping computer is referencing the wrong CVEs. Wouldn’t be the first time.

 

[L&LD]

If RMerlin firmware required these fixes, we'd have a point 1 release soon, if not today already.

Security-wise, RMerlin is ahead of Asus stock, more times than not.

 

[XIII]

Maybe @RMerlin can comment on this, instead of us speculating?

 

[RMerlin]

And a good reason people should be using Stock Asus firmware at least till Merlin can catch up. His latest does not contain any of these security fixes.

That's incorrect. The two CVEs singled out on that article were actually fixed a year ago, for instance... If you read up the CVE bulletin, it even mentions that that one was fixed as early as in 386.7.

 

[XIII]

The latest (stock) firmware for my GT-AX6000 seems to be from May 12 (which I hope I don't need to install; I prefer Asuswrt-Merlin).

When checking the release notes of recent stock firmware versions I can't find quite a few of the CVE's mentioned by ASUS in the product security advisory...

 

[ColinTaylor]

When checking the release notes of recent stock firmware versions I can't find quite a few of the CVE's mentioned by ASUS in the product security advisory...

CVE-2023-28702, CVE-2023-28703, CVE-2022-46871, CVE-2018-1160, CVE-2022-26376 are included in the GT-AX6000 firmware.

As far as I can see;

CVE-2022-38105, CVE-2022-35401, CVE-2022-38393 are for the RT-AX82U.

CVE-2023-31195 is for the RT-AX3000.

 

[XIII]

Oh, it did not occur to me that some CVE's might be model-specific...

 

[netware5]

remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger,

It is interesting that in the list we have VPN server and port forwarding. I am curious how they might be vulnerable. This at least breaks my strong believe in the Rule #1: "the only port open to the WAN shall be the port OpenVPN server is listening on". The believe that any vulnerability of the OpenVPN server is a matter of OpenVPN code itself only is fundamental for my understanding of router security. If there is a possibilty for vulnerability related to the router FW itself and unrelated to the OpenVPN code, the game rules should be fundamentally changed ...

 

[ColinTaylor]

It is interesting that in the list we have VPN server and port forwarding. I am curious how they might be vulnerable. This at least breaks my strong believe in the Rule #1: "the only port open to the WAN shall be the port OpenVPN server is listening on". The believe that any vulnerability of the OpenVPN server is a matter of OpenVPN code itself only is fundamental for my understanding of router security. If there is a possibilty for vulnerability related to the router FW itself and unrelated to the OpenVPN code, the game rules should be fundamentally changed ...

"Please note, if you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions. These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger," ASUS warned in a security advisory published today.

When I read this Asus' statement lost a lot of credibility. Rather than publicly admitting there's a known problem with a particular feature(s) they appear to be trying to obfuscate the issue with a non-specific "just disable all remote access". Maybe I'm being too cynical and Asus are merely too lazy to provide any detailed information.

 

[RMerlin]

Maybe I'm being too cynical and Asus are merely too lazy to provide any detailed information.

My personal guess is that there's a lawyer involved, having them cover their butt in every possible way they can imagine.

Port forward and VPN for instance isn't because of a flaw in these two, but because by giving a remote user LAN access, they could then exploit a LAN-only security issue of the router itself. Yes, it's stretching things to the limit, but that's what lawyers are known for...

 

[eightiescalling]

Lawyers was my thought too - especially if there happened to be an honest technical person in the room that happens to mention a hypothetical scenario that's is technically possible.

Lawyers thought process will be "I don't understand that but let's add it to the disclaimer so we can't be blamed"...

 

[Tech9]

What firmware the users have to upgrade to? Is a new one coming soon with all the fixes listed? Not very clear.

RT-AX86U as an example has a firmware month old. People who know some more than average users and want more precise application based parental controls may want to disable QUIC. Otherwise more and more traffic is recognized as QUIC only and not filtered. The Network Services filter is broken on 388_23285 though. They have to stay on the previous firmware 388_22525 - four months old. Upgrade is a good advice, but bugs have to be cleared out first.

 

[ATLga]

When I look at the CVE’s in this long list along with the long list of affected models, there’s something not right. Most of those CVE were fixed awhile ago. There has been a lot of firmware updates today so that seems a bit strange too and out of norm.

 

[ColinTaylor]

There has been a lot of firmware updates today so that seems a bit strange too and out of norm.

Really? I only see one new firmware update. All the others are old.

GT6 - 2023/05/18
GT-AXE16000 - 2023/04/19
GT-AX11000 Pro - 2023/05/15
GT-AXE11000 - 2023/06/19
GT-AX6000 - 2023/05/12
GT-AX11000 - 2023/05/31
GS-AX5400 - 2023/04/18
GS-AX3000 - 2023/04/19
XT9 - 2023/05/15
XT8 - 2023/05/15
XT8 V2 - 2023/05/15
RT-AX86U Pro - 2023/05/11
RT-AX86U/RT-AX86S - 2023/05/15
RT-AX82U - 2023/05/25
RT-AX58U - 2023/05/31
RT-AX3000 - 2023/05/31
TUF-AX6000 - 2023/04/18
TUF-AX5400 - 2023/05/18

 

[ATLga]

Really? I only see one new firmware update. All the others are old.

GT6 - 2023/05/18
GT-AXE16000 - 2023/04/19
GT-AX11000 Pro - 2023/05/15
GT-AXE11000 - 2023/06/19
GT-AX6000 - 2023/05/12
GT-AX11000 - 2023/05/31
GS-AX5400 - 2023/04/18
GS-AX3000 - 2023/04/19
XT9 - 2023/05/15
XT8 - 2023/05/15
XT8 V2 - 2023/05/15
RT-AX86U Pro - 2023/05/11
RT-AX86U/RT-AX86S - 2023/05/15
RT-AX82U - 2023/05/25
RT-AX58U - 2023/05/31
RT-AX3000 - 2023/05/31
TUF-AX6000 - 2023/04/18
TUF-AX5400 - 2023/05/18

Just looking at forum posts from today I see
Ax86u pro, gtax6000, ax3000, xt12
Might be one or two more, someone mentioned 88u pro but it may have been pulled be he has screenshot showing it.
ax58 shows 6/15 date but matches descriptions of 6/20.
TUF-AX6000