ASUS urges customers to patch critical router vulnerabilities

[ColinTaylor]

Just looking at forum posts from today I see
Ax86u pro, gtax6000, ax3000, xt12
Might be one or two more, someone mentioned 88u pro but it may have been pulled be he has screenshot showing it.

Looks like it might be regional and hasn't hit the UK servers yet.

 

[ATLga]

Looks like it might be regional and hasn't hit the UK servers yet.

I haven’t seen any of them up in the website yet either, most are saying they got from gui update notifier.

 

[ATLga]

I haven’t seen any of them up in the website yet either, most are saying they got from gui update notifier.

Quick glance at the descriptions for each update, the Security Fixes section looks to be the same 6 bullet points

 

[cc666]

That's incorrect. The two CVEs singled out on that article were actually fixed a year ago, for instance... If you read up the CVE bulletin, it even mentions that that one was fixed as early as in 386.7.

Merlin,

You are running the GT-AXE16000 like I am, Even with the latest Stock Firmware (3.0.0.4.388.23012) I do NOT see that they fixed CVE-2022-26376 and CVE-2018-1160, the most critical ones?

Does your latest firmware fix these? Do I need to worry.

UPDATE I searched your logs and it seems CVE-2022-26376 IS LISTED as fixed (As I assume latest Stock firmware is also fixed), I do NOT see the CVE-2018-1160 (Is that an older one?)

CC

 

[L&LD]

Sigh.

ASUS urges customers to patch critical router vulnerabilities

“ASUS urges customers to patch critical router vulnerabilities”: https://www.bleepingcomputer.com/news/security/asus-urges-customers-to-patch-critical-router-vulnerabilities/ (Was this already posted somewhere?) “The list of impacted devices includes the following models: GT6, GT-AXE16000...

www.snbforums.com

 

[ColinTaylor]

Even with the latest Stock Firmware (3.0.0.4.388.23012) I do NOT see that they fixed CVE-2022-26376 and CVE-2018-1160

CVE-2022-26376 was fixed before the GT-AXE16000 existed which is why it's not in any of its release notes. CVE-2018-1160 was fixed in 3.0.0.4.388.21617 - 2022/11/22.

 

[RMerlin]

I do NOT see the CVE-2018-1160 (Is that an older one?)

Netatalk was patched in May 2022 with the 386_48823 GPL merge.

History for release/src/router/netatalk-3.0.5 - RMerl/asuswrt-merlin.ng

Third party firmware for Asus routers (newer codebase) - History for release/src/router/netatalk-3.0.5 - RMerl/asuswrt-merlin.ng

github.com

Also if I remember correctly, unlike Asus, I run netatalk as nobody rather than as admin, which would most likely have mitigated that issue before it got patched anyway.

As for CVE-2022-26376, have you checked the bulletin itself? It says when it was fixed - and it was back with 386.7, which was also released a year ago.

NVD - CVE-2022-26376

nvd.nist.gov

EDIT: In fact, I was directly contacted by Cisco/Talos back on April 12th 2022 (last year) about this issue. I acted as the contact between them and Asus for this particular CVE. Talos contacted me on the 12th, and I relayed the info to Asus, Asus sent me the patch 24 hours later, on the 13th. I then relayed to Talos the info as to which versions of Asuswrt and Asuswrt-Merlin would contain the fix. You can see these versions mentioned in the CVE bulletin itself.

Guys, you really need to take the time to look at the CVE bulletins before panicking over yet another news site claiming the sky is falling...

 

[SkaHot]

from https://www.asus.com/content/asus-product-security-advisory/

• Fixed CVE-2023-28702, CVE-2023-28703, CVE-2023-31195, CVE-2022-46871, CVE-2022-38105, CVE-2022-35401, CVE-2018-1160, CVE-2022-38393, CVE-2022-26376

06/19/2023 New firmware with accumulate security updates for GT6/GT-AXE16000/GT-AX11000 PRO/GT-AXE11000/GT-AX6000/GT-AX11000/GS-AX5400/GS-AX3000/XT9/XT8/XT8 V2/RT-AX86U PRO/RT-AX86U/RT-AX86S/RT-AX82U/RT-AX58U/RT-AX3000/TUF-AX6000/TUF-AX5400 ∇
We strongly encourage you to periodically audit both your equipment and your security procedures, as this will ensure that you will be better protected. As a user of an ASUS router, we advise taking the following actions:

1. Update your router to the latest firmware. We strongly recommend that you do so as soon as new firmware is released. You will find the latest firmware available for download from the ASUS support page at https://www.asus.com/support/or the appropriate product page at https://www.asus.com/Networking/. ASUS has provided a link to new firmware for selected routers at the end of this notice.
2. Set up separate passwords for your wireless network and router-administration page. Use passwords with a length of at least eight characters, including a mix of capital letters, numbers and symbols. Do not use the same password for multiple devices or services.
3. Enable ASUS AiProtection, if your router supports this feature. Instructions on how to do this can be found in your router’s manual, or on the relevant ASUS support page, at https://www.asus.com/Networking/.

Please note, if you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions. These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger.

For further help with router setup and an introduction to network security, please visit
https://www.asus.com/support/FAQ/1008000
https://www.asus.com/support/FAQ/1039292

The new firmware incorporates the following security fixes.

1. Fixed CVE-2023-28702, CVE-2023-28703, CVE-2023-31195, CVE-2022-46871, CVE-2022-38105, CVE-2022-35401, CVE-2018-1160, CVE-2022-38393, CVE-2022-26376
2. Fixed DoS vulnerabilities in firewall configuration pages.
3. Fixed DoS vulnerabilities in httpd.
4. Fixed information disclosure vulnerability.
5. Fixed null pointer dereference vulnerabilities.
6. Fixed the cfg server vulnerability.
7. Fixed the vulnerability in the logmessage function.
8. Fixed Client DOM Stored XSS
9. Fixed HTTP response splitting vulnerability
10. Fixed status page HTML vulnerability.
11. Fixed HTTP response splitting vulnerability.
12. Fixed Samba related vulerabilities.
13. Fixed Open redirect vulnerability.
14. Fixed token authentication security issues.
15. Fixed security issues on the status page.
16. Enabled and supported ECDSA certificates for Let's Encrypt.
17. Enhanced protection for credentials.
18. Enhanced protection for OTA firmware updates.

from https://rog.asus.com/networking/rog-rapture-gt-ax11000-pro-model/helpdesk_bios/

ASUS GT-AX11000 Pro Firmware version 3.0.0.4.388_23556
2023/06/20
Security Fixes
-Fixed several curl vulnerabilities including CVE-2023-28322, CVE-2023-28321, and CVE-2023-28319.
-Fixed FFmpeg vulnerabilities, specifically CVE-2022-3964, CVE-2022-48434, and CVE-2022-3109.
-Corrected an OpenVPN vulnerability categorized as CWE-134.
-Fixed the Hostap vulnerability CVE-2019-10064.
-Patched a command injection vulnerability.
-Strengthened protection against SSH brute force attacks.

 

[ATLga]

from https://www.asus.com/content/asus-product-security-advisory/

gee thanks, hadn’t seen that lol. This place is killing me…

 

[Yiannis]

Sorry if this has been answered already, do we need to take any measures if we want to continue running Merlin firmware ? Do we really need to take openVPN port down?

 

[XIII]

Do we really need to take openVPN port down?

RMerlin thinks that might be lawyer talk:

ASUS urges customers to patch critical router vulnerabilities

“ASUS urges customers to patch critical router vulnerabilities”: https://www.bleepingcomputer.com/news/security/asus-urges-customers-to-patch-critical-router-vulnerabilities/ (Was this already posted somewhere?) “The list of impacted devices includes the following models: GT6, GT-AXE16000...

www.snbforums.com

 

[Jbennett360]

So if that links correct, the AX86U/S should be due an update anytime too

 

[KrypteX]

@SkaHot CVE-2023-28702, CVE-2023-28703, CVE-2023-31195

NVD - CVE-2023-28702

nvd.nist.gov

NVD - CVE-2023-28703

nvd.nist.gov

These two seemingly affect the AC86U and they have been only first reported on June 2, so very recent - they couldn't possibly be included in the latest Merlin.
I wonder why ASUS only reported these for AX routers, they may not care about AC anymore? https://www.asus.com/content/asus-product-security-advisory/
It means that AC68U and other older models may be affected as well...

Edit: Oh wait a minute. For AC68U the latest firmware 3.0.0.4.386.51665 from May 11 https://www.asus.com/networking-iot...ers/rtac68u/helpdesk_bios/?model2Name=RTAC68U includes:
'Fixed CVE-2023-28702 and CVE-2023-28703.'
Go figure.

 

[Yiannis]

RMerlin thinks that might be lawyer talk:

ASUS urges customers to patch critical router vulnerabilities

“ASUS urges customers to patch critical router vulnerabilities”: https://www.bleepingcomputer.com/news/security/asus-urges-customers-to-patch-critical-router-vulnerabilities/ (Was this already posted somewhere?) “The list of impacted devices includes the following models: GT6, GT-AXE16000...

www.snbforums.com

Thank you for your feedback, I had seen that response, but to my understanding @RMerlin commented only on two valnernabilities mentioned on bleepingcomputer.com article (namely : CVE-2022-26376, CVE-2018-1160).

Asus statement on yesterday's firmware updates cover more CVEs and some other security fixes:

Fixed CVE-2023-28702, CVE-2023-28703, CVE-2023-31195, CVE-2022-46871, CVE-2022-38105, CVE-2022-35401, CVE-2018-1160, CVE-2022-38393, CVE-2022-26376

That's why I asked.

 

[ATLga]

So if that links correct, the AX86U/S should be due an update anytime too

That's the one I'm looking for. Asus has been busy pushing updates out the last couple of days, guess it's at the end of the list.

 

[KrypteX]

That's the one I'm looking for. Asus has been busy pushing updates out the last couple of days, guess it's at the end of the list.

Well, it doesn't really make much sense. Why would ASUS come out with this statement BEFORE actually releasing the fixed firmwares themselves?

ASUS Product Security Advisory | ASUS Global

www.asus.com

06/19/2023 New firmware with accumulate security updates for...

Meanwhile, the latest available firmware is from 05/15/2023 https://www.asus.com/networking-iot.../?model2Name=RT-AX86-Series-RT-AX86U-RT-AX86S

 

[ATLga]

Well, it doesn't really make much sense. Why would ASUS come out with this statement BEFORE actually releasing the fixed firmwares themselves?

ASUS Product Security Advisory | ASUS Global

www.asus.com

06/19/2023 New firmware with accumulate security updates for...

Meanwhile, the latest available firmware is from 05/15/2023 https://www.asus.com/networking-iot.../?model2Name=RT-AX86-Series-RT-AX86U-RT-AX86S

Doesn't make sense but that's what they did

 

[urbanracer34]

So if I am reading this all correctly, ASUSWRT-MERLIN already has everything patched?

 

[ColinTaylor]

So if I am reading this all correctly, ASUSWRT-MERLIN already has everything patched?

No, because there's more that's being patched than just the CVE's that everyone seems to be concentrating on. As is normal, there's a delay before Asus releases updated GPLs and Merlin can implement them in a new release. So some of the "other" security fixes may or may not be included/relevant in the current Merlin release.

 

[urbanracer34]

No, because there's more that's being patched than just the CVE's that everyone seems to be concentrating on. As is normal, there's a delay before Asus releases updated GPLs and Merlin can implement them in a new release. So some of the "other" security fixes may or may not be included/relevant in the current Merlin release.

Guess I was wrong. Thanks for clarifying.