WQ6N
Occasional Visitor
I noticed that I am seeing UDP port 9999 broadcasts to 255.255.255.255:9999 from the ASUS AC-5300 routers. Did some research and found:
9999 udp infosvr Several Asus router models use a service called infosvr that listens on UDP port 9999 with root privileges and contains unauthenticated command execution vulnerability. See [CVE-2014-9583]
common.c in infosvr in ASUS WRT firmware 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52, and other versions, as used in RT-AC66U, RT-N66U, and other routers, does not properly check the MAC address for a request, which allows remote attackers to bypass authentication and execute arbitrary commands via a NET_CMD_ID_MANU_CMD packet to UDP port 9999. NOTE: this issue was incorrectly mapped to CVE-2014-10000, but that ID is invalid due to its use as an example of the 2014 CVE ID syntax change.
References: [CVE-2014-9583]
Symantec (Not that we can trust Symantec any more since sold to China) CVE-2014-9583:
Attack: Asuswrt Remote Command Execution CVE-2014-9583
Severity: High
This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
Description
This signature detects attempts to exploit an arbitrary command execution vulnerability in Asuswrt.
Additional Information
Asuswrt is a unified firmware developed by Asus for their routers.
Asuswrt is prone to a remote command-execution vulnerability because it allows an user on the LAN to execute commands as root. Specifically, this issue affects the 'infosvr' service.
An attacker may leverage this issue to execute arbitrary commands in the context of the affected application.
Affected
Just wondering if this was a security concern that should be addressed.
9999 udp infosvr Several Asus router models use a service called infosvr that listens on UDP port 9999 with root privileges and contains unauthenticated command execution vulnerability. See [CVE-2014-9583]
common.c in infosvr in ASUS WRT firmware 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52, and other versions, as used in RT-AC66U, RT-N66U, and other routers, does not properly check the MAC address for a request, which allows remote attackers to bypass authentication and execute arbitrary commands via a NET_CMD_ID_MANU_CMD packet to UDP port 9999. NOTE: this issue was incorrectly mapped to CVE-2014-10000, but that ID is invalid due to its use as an example of the 2014 CVE ID syntax change.
References: [CVE-2014-9583]
Symantec (Not that we can trust Symantec any more since sold to China) CVE-2014-9583:
Attack: Asuswrt Remote Command Execution CVE-2014-9583
Severity: High
This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
Description
This signature detects attempts to exploit an arbitrary command execution vulnerability in Asuswrt.
Additional Information
Asuswrt is a unified firmware developed by Asus for their routers.
Asuswrt is prone to a remote command-execution vulnerability because it allows an user on the LAN to execute commands as root. Specifically, this issue affects the 'infosvr' service.
An attacker may leverage this issue to execute arbitrary commands in the context of the affected application.
Affected
- Asuswrt 3.0.0.4.376_1071 is vulnerable; other versions may also be affected.
Just wondering if this was a security concern that should be addressed.
