Two Flaws in ASUS Routers Call for Immediate Firmware Upgrade

• A MITM and an XSS vulnerability plagued a widely used ASUS router, but a fixing patch is out.
• The problem lies in the fact that the device could be forced not to check the validity of a firmware update.
• ASUS didn’t handle the researcher’s report in the best way, so the security advisory was delayed.

If you are using the popular ASUS AC1900 dual-bank Wi-Fi router, then you should immediately upgrade your firmware to version 3.0.0.4.385_20253 or later. Anything older than that is vulnerable to “CVE-2020-15498” and “CVE-2020-15499”, which concern the lack of certificate checking process and a cross-site scripting vulnerability, respectively.

The flaws were discovered by Trustwave SpiderLabs researcher Martin Rakhmanov, back in December 2019. ASUS released a patch in March 2020, but they failed to confirm that it addressed both flaws, so it took the researcher time to confirm it himself and then publish the associated security advisory.

The AC1900 Router, Source: ASUS

We have previously discussed the perilous consequences of using unsigned firmware updates and analyzed how this remains a huge problem in the hardware industry. The main risk is the possibility of data interception by malicious attackers, and this is precisely the case with the ASUS router flaws.

Further reading: Modern Laptops and Network Cards Still Using Unsigned Firmware

As the researcher explains, MITM attacks could be carried out by connecting the device to a malicious network, after the attacker pushed a fake firmware update using forged server certificates. The problem is the existence of the “--no-check-certificate” option that can be passed to the wget tool.

The second flaw would allow someone to forge a fake certificate, send a message that a new firmware update is available, and plant an arbitrary javascript snippet in a firmware image. When the victim clicks on the link that would supposedly take them to the release notes, but this action is instead triggering the XSS vulnerability, executing the javascript code.

Since that code could be anything, the consequences vary. There are no mitigation steps for either of the flaws, and the only way to remedy the security risks is to upgrade the firmware of your ASUS router.

We touched the subject of router security only a couple of weeks back, making the bold but unfortunately truthful claim that almost all of them are vulnerable one way or another. That said, you should treat them as a liability and take every possible step to increase their level of security.

That would include applying firmware updates immediately, changing the default credentials with something unique and strong, and replacing your router device after a couple of years with a newer model that is actively supported by the manufacturer. Even then, you can never be sure, but you’ll at least enjoy the tranquillity of having done everything you could from the user’s side.