Serious Vulnerabilities Plague Select ASUS Routers Requiring Manual Firmware Update to Fix

rated by 0 users
This post has 4 Replies | 0 Followers

Top 10 Contributor
Posts 26,101
Points 1,183,675
Joined: Sep 2007
ForumsAdministrator
News Posted: Wed, Feb 19 2014 12:40 PM

It's not too often that a vendor chooses to remain silent about vulnerabilities plaguing its product(s), and it's even rarer to remain silent when fixes are available. For those using N or AC-based ASUS routers, though, it's important to take note: A number of rather serious vulnerabilities might exist if your router's not running the latest firmware.

Most of the vulnerabilities have to do with unauthorized access to networked drives being made possible, either through basic Samba connections or otherwise (lighthttpd, for example). Further, there's the risk of someone being able to entirely bypass the router's authentication.

Affected models: RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, RT-N16R

What makes the situation surrounding these vulnerabilities even stranger is that despite their relative severity, using the firmware check option in the admin is unlikely to yield anything other than a "The router's current firmware is the latest version." message. That's at least the case with me and my RT-N66U - not even a non-beta update from last month is triggered.

For the RT-N66U in particular, ASUS shows these fixes as being handled with the latest (manual) firmware update:

  • Fixed lighthttpd vulnerability.
  • Fixed cross-site scripting vulnerability (CWE-79).
  • Fixed the authentication bypass (CWW-592).
  • Added notification to help avoid security risks.
  • Fixed network place(samba) and FTP vulnerability.

It's important to note that simply using one of the affected routers doesn't make you vulnerable; instead, I believe every single one of them is triggered when a certain cloud-like service is enabled (AiCloud, for example). This isn't too dissimilar from the issue we spoke of just the other day regarding select Linksys routers.

Nonetheless, it should go without saying: If you own one of these routers, you'd be wise to hit-up ASUS' support site and grab the latest firmware update.

  • | Post Points: 50
Top 500 Contributor
Posts 270
Points 3,010
Joined: Sep 2009
Location: Port Orchard, WA

I did know about that. I did update my ASUS AC66U and AC68U routers. Both run great and got it updated. My AC66U was back up router (just in case if something happen to AC68U) I keep AC66U router in the box. Both of then in great shape and run very well. I want to say Thanks for put the post about major firmware upgrade on ASUS routers. I think they did make a great router and kept update on new firmware if need.

  • | Post Points: 20
Top 150 Contributor
Posts 616
Points 5,535
Joined: Sep 2012
Location: Canada
ForumsAdministrator
Moderator
RWilliams replied on Wed, Feb 19 2014 6:44 PM

I love ASUS' routers as well. I went a little while without using one, but then when I got my RT-N66U, I realized what I had been missing. ASUS does a great job with its GUIs... best I've used.

  • | Post Points: 5
Top 100 Contributor
Posts 999
Points 9,255
Joined: Mar 2012
Location: LA, CA
sevags replied on Wed, Feb 19 2014 6:59 PM

Thanks for the heads up! I updated the firmware on my AC66R (identical to ac66u but sold exclusively through best buy) a month ago but I will check to see if there is a newer firmware I can manually upgrade to. Luckily I do not use AIcloud I don't believe home routers should be remotely managed.

I see the AC68U isn't on the list I wonder why?

  • | Post Points: 5
Not Ranked
Posts 8
Points 55
Joined: Mar 2011
Location: Sacramento, CA

I have a RT-N66U but run shibbeys tomato usb firmware, it is way better then Asus firmware. Just have to get familiar with all the options / settings / tabs.

  • | Post Points: 5
Page 1 of 1 (5 items) | RSS