ASUS Urges Firmware Update Amidst Severe Router Vulnerabilities

CVE-2023-39238

According to a revelation from the Taiwan CERT [1,2,3], renowned hardware manufacturer ASUS has identified critical vulnerabilities in three of its premium routers. These vulnerabilities allow attackers to remotely exploit the routers without authentication, enabling them to execute remote codes, launch DoS attacks, and perform any arbitrary operations.

The routers in question are the ASUS RT-AX55, ASUS RT-AX56U_V2, and ASUS RT-AC86U. These devices, which command a premium price point, are positioned as high-performance units, drawing the attention of numerous gaming enthusiasts.

ASUS has already released updated firmware to address these vulnerabilities and strongly advises users of the affected routers to promptly upgrade to the latest version.

These vulnerabilities have been assigned a CVSS score of 9.8 out of 10 and are classified as format string vulnerabilities. Such vulnerabilities arise due to unvalidated or unfiltered user input in certain function format string parameters, potentially leading to information disclosure and code execution.

Attackers can exploit these vulnerabilities by crafting specific input with parameters to gain unauthorized privileges.

The identified vulnerabilities are referenced as CVE-2023-39238, CVE-2023-39239, and CVE-2023-39240.

  • CVE-2023-39238: ASUS RT-AX55、RT-AX56U_V2、RT-AC86U – Format String – 1The ASUS RT-AX55, RT-AX56U_V2, and RT-AC86U routers have a vulnerability within the iperf-related module set_iperf3_svr.cgi API pertaining to format strings. This vulnerability arises because the system fails to adequately validate input format strings. As a consequence, remote attackers, even without privileges, can exploit this flaw to execute remote code, perform arbitrary actions on the device, or disrupt services.
  • CVE-2023-39239: ASUS RT-AX55、RT-AX56U_V2、RT-AC86U – Format String – 2
    Similarly, the general configuration functionality’s API for the ASUS RT-AX55, RT-AX56U_V2, and RT-AC86U routers possesses a format string vulnerability. This flaw stems from an inadequate validation of input format strings. Thus, remote attackers, without the need for specific permissions, can exploit this vulnerability to remotely execute code, manipulate the device at will, or halt services.
  • CVE-2023-39240: ASUS RT-AX55、RT-AX56U_V2、RT-AC86U – Format String – 3

    Furthermore, the ASUS RT-AX55, RT-AX56U_V2, and RT-AC86U routers exhibit a vulnerability in the iperf-related module set_iperf3_cli.cgi API concerning format strings. Owing to improper validation of input format strings, this vulnerability can be leveraged by remote attackers, even in the absence of privileges, to execute remote code, execute arbitrary commands on the device, or suspend its services.

The firmware versions impacted include 3.0.0.4.386_50460 for both AX55 and AX56U_V2 and 3.0.0.4_386_51529 for AC86U.

On August 31st, ASUS released the new firmware and initiated several push notifications. Given that some users may have disabled automatic updates, it is recommended that they enable updates, check for firmware updates within the router interface, or manually download and install the latest firmware.

Updating directly within the router interface is suggested. To do this, one should log into the ASUS router console, navigate to advanced settings, system management, firmware upgrade, and check for updates.

In the past, ASUS inadvertently released flawed firmware causing some routers to continuously reboot. While it is understandable that this led to several users disabling automatic updates, it is still recommended to enable them for enhanced security.

The remediated firmware versions and their respective download links are:

For manual updates post-download, navigate to the firmware upgrade section, select manual firmware update, upload, and choose the firmware.