What's new

ASUS urges customers to patch critical router vulnerabilities

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Just looking at forum posts from today I see
Ax86u pro, gtax6000, ax3000, xt12
Might be one or two more, someone mentioned 88u pro but it may have been pulled be he has screenshot showing it.
Looks like it might be regional and hasn't hit the UK servers yet.
 
I haven’t seen any of them up in the website yet either, most are saying they got from gui update notifier.
Quick glance at the descriptions for each update, the Security Fixes section looks to be the same 6 bullet points
 
That's incorrect. The two CVEs singled out on that article were actually fixed a year ago, for instance... If you read up the CVE bulletin, it even mentions that that one was fixed as early as in 386.7.
Merlin,

You are running the GT-AXE16000 like I am, Even with the latest Stock Firmware (3.0.0.4.388.23012) I do NOT see that they fixed CVE-2022-26376 and CVE-2018-1160, the most critical ones?

Does your latest firmware fix these? Do I need to worry.

UPDATE I searched your logs and it seems CVE-2022-26376 IS LISTED as fixed (As I assume latest Stock firmware is also fixed), I do NOT see the CVE-2018-1160 (Is that an older one?)

CC
 
Last edited:
Sigh.

 
I do NOT see the CVE-2018-1160 (Is that an older one?)
Netatalk was patched in May 2022 with the 386_48823 GPL merge.


Also if I remember correctly, unlike Asus, I run netatalk as nobody rather than as admin, which would most likely have mitigated that issue before it got patched anyway.

As for CVE-2022-26376, have you checked the bulletin itself? It says when it was fixed - and it was back with 386.7, which was also released a year ago.


EDIT: In fact, I was directly contacted by Cisco/Talos back on April 12th 2022 (last year) about this issue. I acted as the contact between them and Asus for this particular CVE. Talos contacted me on the 12th, and I relayed the info to Asus, Asus sent me the patch 24 hours later, on the 13th. I then relayed to Talos the info as to which versions of Asuswrt and Asuswrt-Merlin would contain the fix. You can see these versions mentioned in the CVE bulletin itself.

Guys, you really need to take the time to look at the CVE bulletins before panicking over yet another news site claiming the sky is falling...
 
Last edited:
from https://www.asus.com/content/asus-product-security-advisory/

  • Fixed CVE-2023-28702, CVE-2023-28703, CVE-2023-31195, CVE-2022-46871, CVE-2022-38105, CVE-2022-35401, CVE-2018-1160, CVE-2022-38393, CVE-2022-26376
06/19/2023 New firmware with accumulate security updates for GT6/GT-AXE16000/GT-AX11000 PRO/GT-AXE11000/GT-AX6000/GT-AX11000/GS-AX5400/GS-AX3000/XT9/XT8/XT8 V2/RT-AX86U PRO/RT-AX86U/RT-AX86S/RT-AX82U/RT-AX58U/RT-AX3000/TUF-AX6000/TUF-AX5400
We strongly encourage you to periodically audit both your equipment and your security procedures, as this will ensure that you will be better protected. As a user of an ASUS router, we advise taking the following actions:
  1. Update your router to the latest firmware. We strongly recommend that you do so as soon as new firmware is released. You will find the latest firmware available for download from the ASUS support page at https://www.asus.com/support/or the appropriate product page at https://www.asus.com/Networking/. ASUS has provided a link to new firmware for selected routers at the end of this notice.
  2. Set up separate passwords for your wireless network and router-administration page. Use passwords with a length of at least eight characters, including a mix of capital letters, numbers and symbols. Do not use the same password for multiple devices or services.
  3. Enable ASUS AiProtection, if your router supports this feature. Instructions on how to do this can be found in your router’s manual, or on the relevant ASUS support page, at https://www.asus.com/Networking/.

Please note, if you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions. These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger.

For further help with router setup and an introduction to network security, please visit
https://www.asus.com/support/FAQ/1008000
https://www.asus.com/support/FAQ/1039292

The new firmware incorporates the following security fixes.
  1. Fixed CVE-2023-28702, CVE-2023-28703, CVE-2023-31195, CVE-2022-46871, CVE-2022-38105, CVE-2022-35401, CVE-2018-1160, CVE-2022-38393, CVE-2022-26376
  2. Fixed DoS vulnerabilities in firewall configuration pages.
  3. Fixed DoS vulnerabilities in httpd.
  4. Fixed information disclosure vulnerability.
  5. Fixed null pointer dereference vulnerabilities.
  6. Fixed the cfg server vulnerability.
  7. Fixed the vulnerability in the logmessage function.
  8. Fixed Client DOM Stored XSS
  9. Fixed HTTP response splitting vulnerability
  10. Fixed status page HTML vulnerability.
  11. Fixed HTTP response splitting vulnerability.
  12. Fixed Samba related vulerabilities.
  13. Fixed Open redirect vulnerability.
  14. Fixed token authentication security issues.
  15. Fixed security issues on the status page.
  16. Enabled and supported ECDSA certificates for Let's Encrypt.
  17. Enhanced protection for credentials.
  18. Enhanced protection for OTA firmware updates.

from https://rog.asus.com/networking/rog-rapture-gt-ax11000-pro-model/helpdesk_bios/
ASUS GT-AX11000 Pro Firmware version 3.0.0.4.388_23556
2023/06/20
Security Fixes
-Fixed several curl vulnerabilities including CVE-2023-28322, CVE-2023-28321, and CVE-2023-28319.
-Fixed FFmpeg vulnerabilities, specifically CVE-2022-3964, CVE-2022-48434, and CVE-2022-3109.
-Corrected an OpenVPN vulnerability categorized as CWE-134.
-Fixed the Hostap vulnerability CVE-2019-10064.
-Patched a command injection vulnerability.
-Strengthened protection against SSH brute force attacks.
 
Last edited:
Sorry if this has been answered already, do we need to take any measures if we want to continue running Merlin firmware ? Do we really need to take openVPN port down?
 
Do we really need to take openVPN port down?
RMerlin thinks that might be lawyer talk:

 
@SkaHot CVE-2023-28702, CVE-2023-28703, CVE-2023-31195

These two seemingly affect the AC86U and they have been only first reported on June 2, so very recent - they couldn't possibly be included in the latest Merlin.
I wonder why ASUS only reported these for AX routers, they may not care about AC anymore? https://www.asus.com/content/asus-product-security-advisory/
It means that AC68U and other older models may be affected as well...

Edit: Oh wait a minute. For AC68U the latest firmware 3.0.0.4.386.51665 from May 11 https://www.asus.com/networking-iot...ers/rtac68u/helpdesk_bios/?model2Name=RTAC68U includes:
'Fixed CVE-2023-28702 and CVE-2023-28703.'
Go figure.
 
Last edited:
RMerlin thinks that might be lawyer talk:

Thank you for your feedback, I had seen that response, but to my understanding @RMerlin commented only on two valnernabilities mentioned on bleepingcomputer.com article (namely : CVE-2022-26376, CVE-2018-1160).

Asus statement on yesterday's firmware updates cover more CVEs and some other security fixes:

Fixed CVE-2023-28702, CVE-2023-28703, CVE-2023-31195, CVE-2022-46871, CVE-2022-38105, CVE-2022-35401, CVE-2018-1160, CVE-2022-38393, CVE-2022-26376

That's why I asked.
 
Last edited:
That's the one I'm looking for. Asus has been busy pushing updates out the last couple of days, guess it's at the end of the list.
Well, it doesn't really make much sense. Why would ASUS come out with this statement BEFORE actually releasing the fixed firmwares themselves?
06/19/2023 New firmware with accumulate security updates for...

Meanwhile, the latest available firmware is from 05/15/2023 https://www.asus.com/networking-iot.../?model2Name=RT-AX86-Series-RT-AX86U-RT-AX86S
 
So if I am reading this all correctly, ASUSWRT-MERLIN already has everything patched?
No, because there's more that's being patched than just the CVE's that everyone seems to be concentrating on. As is normal, there's a delay before Asus releases updated GPLs and Merlin can implement them in a new release. So some of the "other" security fixes may or may not be included/relevant in the current Merlin release.
 
No, because there's more that's being patched than just the CVE's that everyone seems to be concentrating on. As is normal, there's a delay before Asus releases updated GPLs and Merlin can implement them in a new release. So some of the "other" security fixes may or may not be included/relevant in the current Merlin release.
Guess I was wrong. Thanks for clarifying.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top