ASUS routers are vulnerable to serious remote code execution flaws

Three critical remote code execution vulnerabilities affect ASUS RT-AX55, RT-AX56U_V2, and RT-AC86U routers, which could allow threat actors to hijack devices if security updates are not installed.

These three WiFi routers are high-end models popular in the consumer networking market and are now available on the ASUS website, favored by gamers and users with demanding performance needs.

The flaws, which all have a score of 9.8 out of 10.0 in CVSS v3.1, are coordination chain vulnerabilities that can be exploited remotely and without authentication, which could allow remote code execution, service outages, and arbitrary device operations.

Format string flaws are security issues that arise from unauthorized and/or unsanitized user input within format string parameters for certain functions. They can lead to various problems, including information disclosure and code execution.

Attackers exploit these flaws by using specially crafted inputs that are sent to vulnerable devices. In the case of ASUS routers, they target specific administrative API functions on the devices.

Defects

The three vulnerabilities revealed earlier today by the Taiwanese CERT team are the following:

1. CVE-2023-39238: Incorrect validation of input format string in iperf related API module “ser_iperf3_svr.cgi”.
2. CVE-2023-39239: Failure to validate the input format string in the global setup function API.
3. CVE-2023-39240: Incorrect validation of input format string in iperf-related API module ‘ser_iperf3_cli.cgi’.

The above issues affect ASUS RT-AX55, RT-AX56U_V2, and RT-AC86U on firmware versions 3.0.0.4.386_50460, 3.0.0.4.386_50460, and 3.0.0.4_386_51529, respectively.

The recommended solution is to apply the following firmware updates:

ASUS released patches addressing the three flaws in early August 2023 for the RT-AX55, in May 2023 for the AX56U_V2, and in July 2023 for the RT-AC86U.

Users who have not applied security updates since then should consider their devices vulnerable and prioritize the action as soon as possible.

Furthermore, since many consumer router flaws target the Web Administrator console, it is highly recommended that you turn off Remote Administration (WAN Web Access) Internet access blocking feature.