Latest firmware updates for Asus routers fix CSRF security flaws

Latest firmware updates for Asus routers fix CSRF security flaws

The vulnerabilities could allow hackers to modify routers' settings through cross-site request forgery attacks

Users of Asus RT-N and RT-AC series routers should install the latest firmware updates released for their models because they address vulnerabilities that could allow attackers to hijack router settings.

The flaws were discovered by researchers from security consultancy outfit Nightwatch Cybersecurity and leave many Asus router models exposed to cross-site request forgery (CSRF) attacks.

CSRF is an attack technique that involves hijacking a user's browser when visiting a specially crafted website and forcing it to send unauthorized requests to a different website -- or in this case, the router web-based administration interface accessible over the local area network (LAN).

The login page for the web interface of most Asus routers running the company's unified AsusWRT firmware doesn't have any type of CSRF protection, according to the Nightwatch researchers. This allows malicious websites to send login requests to Asus routers through users' browsers without their knowledge.

In order to pull off such an attack, hackers need to know the LAN IP address of the targeted router and the password for its admin account. In many cases this information is easy to obtain.

There are ways for web pages to scan a visitor's local network for devices. There is even an open-source JavaScript framework called Sonar.js that contains "fingerprints" for different routers.

However, such advanced techniques are not even needed in most cases, because users rarely change their router's default IP address -- in the case of Asus routers.

Many users also don't change their router's default and publicly documented username and password combination -- admin/admin for Asus routers. Some users don't change these credentials because they don't know how, while others don't do it out of convenience and based on the false belief that their router cannot be attacked because its web interface is not exposed to the internet.

Unfortunately, this thinking doesn't take into account CSRF and other LAN-based attacks. Large-scale CSRF campaigns that hijacked routers' settings have been observed in the wild over the past few years, and security vendors recently found computer and mobile malware programs designed to compromise routers over the local area network.

Once authenticated on the router via CSRF, an attacker would have no problem changing a setting, the Nightwatch researchers said in an advisory this week. That's because the page that saves any configuration modifications also lacks CSRF protection, they said.

A common attack against routers is to change their DNS (Domain Name System) server settings, forcing them to use a DNS server controlled by attackers. Since DNS is used to translate domain names into IP addresses, attackers can use their control over DNS responses to direct users who connect through a compromised router to fake web pages.

This enables powerful phishing attacks because the browser address bar would continue to display the correct domain name for the legitimate website the user tried to access, but the loaded page would be provided by attackers.

In addition to the CSRF issues, Nightwatch Cybersecurity also found three information leak vulnerabilities that could be exploited from remote websites or mobile applications on the same LAN to expose details about a router's configuration, including its wireless network password.

Asus doesn't consider all of these issues as security vulnerabilities. The company released firmware updates to fix the CSRF issues and some of the info leaks for many of the affected models in March and April. However, there are user reports that at least one model, the 4G-AC55U, is also vulnerable and has no patch.

A common problem with routers is that even when firmware updates become available, very few users go to the trouble of downloading and installing them on their devices. The firmware update process is not exactly straightforward on routers, but vendors are often not clear about what these updates contain or why they're needed.

For example, the release notes for the new Asus router firmware updates mention that the following security issues have been fixed: CVE-2017-5891, CVE-2017-5892, CVE-2017-6547, CVE-2017-6549, and CVE-2017-6548.

To understand what those vulnerabilities are about, users would have to search the internet on their own and even then, they might find no useful information. For example, if a user would have searched for CVE-2017-5891 and CVE-2017-5892 in March or April, they would have found no details. If they search now, they'll likely come across the third-party Nightwatch Cybersecurity advisory published Tuesday.

Since details about these vulnerabilities are now publicly available, Asus router owners should install the firmware updates for their models as soon as possible. There are also other actions that can be taken to reduce the likelihood routers being compromised in general.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.



Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Veritas honours top performing trans-Tasman partners

Veritas honours top performing trans-Tasman partners

Veritas honoured its top performing partners across the channel in Australia and New Zealand, recognising innovation and excellence on both sides of the Tasman. Revealed under the Vivid lights in Sydney, Intalock claimed the coveted Partner of the Year 2017 (Pacific) award, with Data#3 acknowledged for 12 months of strong growth across the market. Meanwhile, Datacom took home the New Zealand honours, with Global Storage and Insentra winning service provider and consulting awards respectively. Dicker Data was recognised as the standout distributor of the year, while Hitachi Data Systems claimed the alliance partner award. Photos by Bob Seary.

Veritas honours top performing trans-Tasman partners
Show Comments