Asus RT wireless routers have joined the SOHOpeless list – with poor cross-site request forgery protection affecting 30 variants of the devices.
The design blunders, labeled CVE-2017-5891, hit RT-AC and RT-N variants using firmware older than version 220.127.116.11.380.7378.
The lack of CSRF protection means that if the user has left the default credentials – admin:admin – in place, or if an attacker knows the admin password, a malicious webpage can log into the router when visited by the victim. Nightwatch Cybersecurity, which discovered the issue, explained this week that the exploit is trivial: "Submit the base-64 encoded username and password as 'login_authorization' form post, to the '/login.cgi' URL of the browser."
A successful login means an attacker is able to change the router's settings, and hijack the DNS, for example, but Nightwatch admitted "we have not been able to exploit this issue consistently." Nightwatch also notes two JSONP bugs, which can reveal potentially sensitive information such as a network map and details about the router.
Asus has addressed the CSRF issues in a March firmware update, but doesn't consider one of Nightwatch's non-CSRF issues, CVE 2017-5892, to be serious enough to warrant a fix. Also include in the updated firmware are fixes for:
- CVE-2017-6547, a cross-site scripting bug in the routers' HTTP daemon.
- CVE-2017-6549, a session hijack vulnerability in the HTTP daemon.
- CVE-2017-6548, a remote code execution buffer overflow in the routers'
Get patching if you haven't already. ®