ASUS Router User? Patch ASAP!
Two nasty vulnerabilities need an update—pronto.
Taiwanese router manufacturer ASUSTeK has disclosed three new security flaws in some of its popular networking gear. Two of them are critical, each scoring a hefty 9.8 out of 10 on the CVSS chart.
Time to fetch the fixes. In today’s SB Blogwatch, we drop everything.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: RRR FAIL.
Or Junk it if EOL
What’s the craic? Bill Toulas reports: ASUS warns of critical remote authentication bypass
“Critical (9.8)”
CVE-2024-3080 (CVSS v3.1 score: 9.8 “critical”) is an authentication bypass vulnerability allowing unauthenticated, remote attackers to take control of the device. … Addressed on the same package is CVE-2024-3079, a high-severity (7.2) buffer overflow.
…
Taiwan’s CERT has also informed the public about CVE-2024-3912, … a critical (9.8) arbitrary firmware upload vulnerability allowing unauthenticated, remote attackers to execute system commands on the device. The flaw impacts multiple ASUS router models, but not all will be getting security updates.
…
Finally, ASUS announced an update to Download Master, a utility used on ASUS routers that enables users to … download files directly to a connected USB storage device. … Version 3.1.0.114 addresses five medium to high-severity issues.
How can we find out more? Simply hail Craig Hale: Update your Asus router now
“Important reminder”
The affected routers, a series of XT8 and RT models, should now be checked for firmware updates in order to prevent unwarranted access and to ensure optimal protection. … The latest Asus firmware versions are available on its download portals; however, for users unable to update immediately, Asus has also provided a set of instructions and guidance to improve protection.
…
It’s clear that the company remains committed to protecting its users in a timely manner. However, with sunsetted devices no longer receiving updates, this news serves as an important reminder not only to ensure that firmware and software updates are applied in due time, but that users replace their devices regularly.
Horse’s mouth? This ASUS Product Security Advisory:
“Get the latest version”
ASUS has released a new firmware update for the XT8, XT8_V2, RT-AX88U, RT-AX58U, RT-AX57, RT-AC86U, RT-AC68U. … If you are not able to update the firmware quickly, please make sure that both your login and WiFi passwords are strong. It is recommended [you] disable any services that can be reached from the internet, such as remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger.
…
ASUS has updated the Download Master with security enhancements. … If you turned on the Download master, login the web GUI and go to USB application –> Download Master and click the update to get the latest version … as soon as possible. If you cannot do so, ensure that your login and WiFi passwords are secure.
…
All ASUS routers launched since 2020 will received at least three years of security updates. … Please feel free to contact [email protected].
But don’t trust the auto updater. Incarnate plays Devil’s advocate: [You’re fired—Ed.]
When checking for updates on the XT8, it was showing as no updates are available, even though there was a newer one available on their download site. It has been doing this for a while.
…
Wondering if those with auto updates on are not receiving them due to some error. … I manually downloaded and installed the other day, but I shouldn’t have to do that. The option to check for updates should pull it.
Many ASUS routers can also use semi-official alternative firmware. ryandrake is a fan:
Any way to tell if these issues affect the community-developed, third-party “Merlin” firmwares?
Answered elsewhere by Frederic54:
Merlin patched this CVE in March already, I always install Merlin’s version of asus-wrt.
In part thanks to a federal consent decree, ASUS does a decent job of supporting old routers. So says aggri1:
After all the recent Apple articles making me feel obsolete because my devices are all some years older than is now required (e.g., 2010 iMac happily chugging away), I’m pleasantly surprised to see that the DSL-AC52U I use … is still receiving firmware updates. Good job Asus!
But how would normies know to update or replace? AmiMoJo suggestifies thuswise:
None of this is at all practical for most people. … What we need is a way to notify affected users. Maybe we could have a service like Have I Been Pwned, but for hardware, where you can register your device. Maybe a mandatory QR code on the box that you scan and it sets up notification emails for you.
Also a clear, large font display of the EOL date, and a note that the device must be replaced after that date. Tax for every year less than 15 where there is no support, to cover extra landfill/recycling costs, etc.
Meanwhile, a slightly sarcastic NoneRain offers the ultimate solution to remote-access vulns:
Don’t expose your router to the internet, folks.
And Finally:
Linus Boman is back with one of his signature typography rants
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.