ASUS has released firmware updates for several router models fixing two critical and several other security issues. The two critical vulnerabilities found are CVE-2022-26376 and CVE-2018-1160. Affected ASUS and ROG-branded router models include the GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400 models. The new firmware is available for download at the ASUS support page and corresponding product page of each router model.
Statement from ASUS
New firmware with accumulate security updates for GT6/GT-AXE16000/GT-AX11000 PRO/GT-AXE11000/GT-AX6000/GT-AX11000/GS-AX5400/GS-AX3000/XT9/XT8/XT8 V2/RT-AX86U PRO/RT-AX86U/RT-AX86S/RT-AX82U/RT-AX58U/RT-AX3000/TUF-AX6000/TUF-AX5400
We strongly encourage you to periodically audit both your equipment and your security procedures, as this will ensure that you will be better protected. As a user of an ASUS router, we advise taking the following actions:
1 - Update your router to the latest firmware. We strongly recommend that you do so as soon as new firmware is released. You will find the latest firmware available for download from the ASUS support page at https://www.asus.com/support/ or the appropriate product page at https://www.asus.com/Networking/. ASUS has provided a link to new firmware for selected routers at the end of this notice.
2 - Set up separate passwords for your wireless network and router-administration page. Use passwords with a length of at least eight characters, including a mix of capital letters, numbers and symbols. Do not use the same password for multiple devices or services.
3 - Enable ASUS AiProtection, if your router supports this feature. Instructions on how to do this can be found in your router’s manual, or on the relevant ASUS support page, at https://www.asus.com/Networking/.
Please note, if you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions. These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger.
For further help with router setup and an introduction to network security, please visit
https://www.asus.com/support/FAQ/1008000
https://www.asus.com/support/FAQ/1039292
The new firmware incorporates the following security fixes.
1. Fixed CVE-2023-28702, CVE-2023-28703, CVE-2023-31195, CVE-2022-46871, CVE-2022-38105, CVE-2022-35401, CVE-2018-1160, CVE-2022-38393, CVE-2022-26376
2. Fixed DoS vulnerabilities in firewall configuration pages.
3. Fixed DoS vulnerabilities in httpd.
4. Fixed information disclosure vulnerability.
5. Fixed null pointer dereference vulnerabilities.
6. Fixed the cfg server vulnerability.
7. Fixed the vulnerability in the log message function.
8. Fixed Client DOM Stored XSS
9. Fixed HTTP response splitting vulnerability
10. Fixed status page HTML vulnerability.
11. Fixed HTTP response splitting vulnerability.
12. Fixed Samba related vulnerabilities.
13. Fixed Open redirect vulnerability.
14. Fixed token authentication security issues.
15. Fixed security issues on the status page.
16. Enabled and supported ECDSA certificates for Let's Encrypt.
17. Enhanced protection for credentials.
18. Enhanced protection for OTA firmware updates.
We strongly encourage you to periodically audit both your equipment and your security procedures, as this will ensure that you will be better protected. As a user of an ASUS router, we advise taking the following actions:
1 - Update your router to the latest firmware. We strongly recommend that you do so as soon as new firmware is released. You will find the latest firmware available for download from the ASUS support page at https://www.asus.com/support/ or the appropriate product page at https://www.asus.com/Networking/. ASUS has provided a link to new firmware for selected routers at the end of this notice.
2 - Set up separate passwords for your wireless network and router-administration page. Use passwords with a length of at least eight characters, including a mix of capital letters, numbers and symbols. Do not use the same password for multiple devices or services.
3 - Enable ASUS AiProtection, if your router supports this feature. Instructions on how to do this can be found in your router’s manual, or on the relevant ASUS support page, at https://www.asus.com/Networking/.
Please note, if you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions. These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger.
For further help with router setup and an introduction to network security, please visit
https://www.asus.com/support/FAQ/1008000
https://www.asus.com/support/FAQ/1039292
The new firmware incorporates the following security fixes.
1. Fixed CVE-2023-28702, CVE-2023-28703, CVE-2023-31195, CVE-2022-46871, CVE-2022-38105, CVE-2022-35401, CVE-2018-1160, CVE-2022-38393, CVE-2022-26376
2. Fixed DoS vulnerabilities in firewall configuration pages.
3. Fixed DoS vulnerabilities in httpd.
4. Fixed information disclosure vulnerability.
5. Fixed null pointer dereference vulnerabilities.
6. Fixed the cfg server vulnerability.
7. Fixed the vulnerability in the log message function.
8. Fixed Client DOM Stored XSS
9. Fixed HTTP response splitting vulnerability
10. Fixed status page HTML vulnerability.
11. Fixed HTTP response splitting vulnerability.
12. Fixed Samba related vulnerabilities.
13. Fixed Open redirect vulnerability.
14. Fixed token authentication security issues.
15. Fixed security issues on the status page.
16. Enabled and supported ECDSA certificates for Let's Encrypt.
17. Enhanced protection for credentials.
18. Enhanced protection for OTA firmware updates.
Source: ASUS Product Security Advisory
Learn more about the critical vulnerabilities:
CVE-2022-26376
A memory corruption vulnerability exists in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7.. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.
CVE-2018-1160
Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.