CVE-2021-3128 - IPv6 routing loop in firmware versions older than DNSpooq fix beta firmware

[Jesse Viviano]

From the US National Vulnerability Database at https://nvd.nist.gov/vuln/detail/CVE-2021-3128:

In ASUS RT-AX3000, ZenWiFi AX (XT8), RT-AX88U, and other ASUS routers with firmware < 3.0.0.4.386.42095 or < 9.0.0.4.386.41994, when IPv6 is used, a routing loop can occur that generates excessive network traffic between an affected device and its upstream ISP's router. This occurs when a link prefix route points to a point-to-point link, a destination IPv6 address belongs to the prefix and is not a local IPv6 address, and a router advertisement is received with at least one global unique IPv6 prefix for which the on-link flag is set.

It seems like the beta firmware meant to fix the DNSpooq also fixed an IPv6 routing loop between the Asus router and the ISP's router, so IPv6 users should consider updating their routers to the beta firmware if no later full releases have been made. I discovered that the GT-AX11000's last full release is before the cited version numbers, and I have IPv6 turned on. I have since updated to the beta firmware. I found this CVE while trying to search for how stable the beta firmware is before upgrading to it.

 

[RMerlin]

One issue in 42095 that I'm aware of is it does not properly handle IPv6 pings. Otherwise, it should be fairly stable.