Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)PSA: Severe ASUS Router vulnerabilities patched.
Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified
Trusted
Lifetime subscriber

#315155 18-Jun-2024 08:07
Send private message

via Ars Technica

 

Hardware manufacturer Asus has released updates patching multiple critical vulnerabilities that allow hackers to remotely take control of a range of router models with no authentication or interaction required of end users.

 

The most critical vulnerability, tracked as CVE-2024-3080 is an authentication bypass flaw that can allow remote attackers to log into a device without authentication. The vulnerability, according to the Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC), carries a severity rating of 9.8 out of 10. Asus said the vulnerability affects the following routers:

 

Model name Support Site link

 

XT8 and XT8_V2 https://www.asus.com/uk/supportonly/asus%20zenwifi%20ax%20(xt8)/helpdesk_bios/

 

RT-AX88U https://www.asus.com/supportonly/RT-AX88U/helpdesk_bios/

 

RT-AX58U https://www.asus.com/supportonly/RT-AX58U/helpdesk_bios/

 

RT-AX57 https://www.asus.com/networking-iot-servers/wifi-routers/asus-wifi-routers/rt-ax57/helpdesk_bios

 

RT-AC86U https://www.asus.com/supportonly/RT-AC86U/helpdesk_bios/

 

RT-AC68U https://www.asus.com/supportonly/RT-AC68U/helpdesk_bios/

 

The Ars link also has details on some other vulnerabilities in other older routers (mostly DSL ones) , some of which are patched, some of which are out of support and should be binned.




I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup. Opinions are my own and not the views of my employer.

Create new topic
nztim
4012 posts

Uber Geek
+1 received by user: 2710

ID Verified
Trusted
TEAMnetwork
Subscriber

  #3250294 18-Jun-2024 08:52
Send private message

Surely this would only be vulnerable if you are stupid enough to open the management console to the WAN ?




Any views expressed on these forums are my own and don't necessarily reflect those of my employer. 



Taubin
592 posts

Ultimate Geek
+1 received by user: 243

ID Verified
Subscriber

  #3250295 18-Jun-2024 08:57
Send private message

nztim:

 

if you are stupid enough to open the management console to the WAN ?

 

 

The majority of the population it seems is in fact that stupid. Convenience > anything else. 

 

I'm not sure if the management console is open by default, but I wouldn't be surprised if it is. Or if they push it as a "install our app and control your device from anywhere!" kind of marketing bs during setup. 




ZL2TOY/ZL1DMP

MaxineN
Max
2049 posts

Uber Geek
+1 received by user: 1662

ID Verified
Trusted
Subscriber

  #3250296 18-Jun-2024 09:01
Send private message

nztim:

 

Surely this would only be vulnerable if you are stupid enough to open the management console to the WAN ?

 

 

 

 

By default no it's not.. IIRC from my AX3000 (which is a rebrand of the AX58U) it even warns you about doing this.




Ramblings from a mysterious lady who's into tech. Warning I may often create zingers.



michaelmurfy
meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #3250298 18-Jun-2024 09:04
Send private message

nztim:

 

Surely this would only be vulnerable if you are stupid enough to open the management console to the WAN ?

 

Default behavior for routers that have not been fully configured. Lets just take a look at AS9790:

 

 

 

Yep...




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

gehenna
8667 posts

Uber Geek
+1 received by user: 3883

Moderator
Trusted
Lifetime subscriber

  #3250300 18-Jun-2024 09:17
Send private message

There's stupid and there's ignorant.  Focusing on educating the latter reduces the former. 

MaxineN
Max
2049 posts

Uber Geek
+1 received by user: 1662

ID Verified
Trusted
Subscriber

  #3250313 18-Jun-2024 09:58
Send private message

michaelmurfy:

 

nztim:

 

Surely this would only be vulnerable if you are stupid enough to open the management console to the WAN ?

 

Default behavior for routers that have not been fully configured. Lets just take a look at AS9790:

 

Yep...

 



Yikes.




Ramblings from a mysterious lady who's into tech. Warning I may often create zingers.

 
 
 
 

Support Geekzone with one-off or recurring donations Donate via PressPatron.
nickt
94 posts

Master Geek
+1 received by user: 10


  #3250395 18-Jun-2024 13:18
Send private message

This is obviously not great, and agree opening up the interface to the whole internet is a bad idea. The phrasing on Ars of "Asus has released updates patching multiple critical vulnerabilities ..." implies they came out today, when actually they've been out since mid-April in the case of the RT-AC68U. More that CVE's have been opened after some delay, charitably so devices have had a chance to be updated but Asus communication has never been stellar IME.

 

FYI, venerable devices like the RT-AC68U are now on Asus's EOL list, along with many other RT-ACxx models.

 

Lias, could you edit your post to remove trailing spaces in the links? They make the Asus webserver fail to load the page.

 

 

Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified
Trusted
Lifetime subscriber

  #3250405 18-Jun-2024 13:34
Send private message

nickt:

 

Lias, could you edit your post to remove trailing spaces in the links? They make the Asus webserver fail to load the page.

 

 

The links worked fine for me using Vivaldi, but done.




I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup. Opinions are my own and not the views of my employer.

nickt
94 posts

Master Geek
+1 received by user: 10


  #3250422 18-Jun-2024 14:42
Send private message

Lias:

 

The links worked fine for me using Vivaldi, but done.

 

 

Cheers. When using Firefox the sequence is 

 

GET https://www.asus.com/supportonly/RT-AX88U/helpdesk_bios/%20

 

301 https://www.asus.com/upportonly/rt-ax88u/helpdesk_bios/ /

 

302 https://dlcdnimgs.asus.com/websites/server_500.html

 

shrug Webserver configuration error I guess.

nztim
4012 posts

Uber Geek
+1 received by user: 2710

ID Verified
Trusted
TEAMnetwork
Subscriber

  #3250429 18-Jun-2024 15:05
Send private message

This is why CG-NAT is a good thing for "most" people




Any views expressed on these forums are my own and don't necessarily reflect those of my employer. 

Batman
Mad Scientist
30012 posts

Uber Geek
+1 received by user: 6217

Trusted
Lifetime subscriber

  #3250505 18-Jun-2024 16:46
Send private message

michaelmurfy:

 

nztim:

 

Surely this would only be vulnerable if you are stupid enough to open the management console to the WAN ?

 

Default behavior for routers that have not been fully configured. Lets just take a look at AS9790:

 

Yep...

 

 

sorry but can someone explain to the uneducated?

 

the issue being someone remote can log on to the router using default credentials?

 
 
 
 

Shop now for Dell laptops and other devices (affiliate link).
michaelmurfy
meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #3250522 18-Jun-2024 17:40
Send private message

Batman: the issue being someone remote can log on to the router using default credentials?

 

Not default, but CVE-2024-3080 is an authentication bypass flaw basically allowing an attacker to get past the login screen but combined with the other vulnerability (CVE-2024-3079) allows for the attacker to execute code on your router (eg, malware on the router itself). It is pretty dangerous.

 

These Asus routers are basically Linux computers. They're a target for hackers which is why I always say for the less technical users to stick with ISP provided solutions. We've seen in the past users just plugging a router into their ONT back when MyRepublic was a thing (they did DHCP with no VLAN) and finding it worked so didn't even go through initial setup leading to the exposed routers I posted above.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

Batman
Mad Scientist
30012 posts

Uber Geek
+1 received by user: 6217

Trusted
Lifetime subscriber

  #3250531 18-Jun-2024 18:10
Send private message

michaelmurfy:

 

Batman: the issue being someone remote can log on to the router using default credentials?

 

Not default, but CVE-2024-3080 is an authentication bypass flaw basically allowing an attacker to get past the login screen but combined with the other vulnerability (CVE-2024-3079) allows for the attacker to execute code on your router (eg, malware on the router itself). It is pretty dangerous.

 

These Asus routers are basically Linux computers. They're a target for hackers which is why I always say for the less technical users to stick with ISP provided solutions. We've seen in the past users just plugging a router into their ONT back when MyRepublic was a thing (they did DHCP with no VLAN) and finding it worked so didn't even go through initial setup leading to the exposed routers I posted above.

 

 

How do i know if my Dlink and my TP-Link routers have this issue?

michaelmurfy
meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #3250556 18-Jun-2024 19:46
Send private message

Batman: How do i know if my Dlink and my TP-Link routers have this issue?

 

Whack your public IP address into something like https://www.shodan.io to ensure you don't have any exposed services plus ensure your routers firmware is up to date.





Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright