2023-06-19 - Asus security update

[megamorf]

Asus has just released a bunch of security updates and I wanted to ask if those are already part of or scheduled to be included in the next release:

https://www.asus.com/content/asus-product-security-advisory/

---

New firmware with accumulate security updates for GT6/GT-AXE16000/GT-AX11000 PRO/GT-AXE11000/GT-AX6000/GT-AX11000/GS-AX5400/GS-AX3000/XT9/XT8/XT8 V2/RT-AX86U PRO/RT-AX86U/RT-AX86S/RT-AX82U/RT-AX58U/RT-AX3000/TUF-AX6000/TUF-AX5400 ∇

We strongly encourage you to periodically audit both your equipment and your security procedures, as this will ensure that you will be better protected. As a user of an ASUS router, we advise taking the following actions:

1. Update your router to the latest firmware. We strongly recommend that you do so as soon as new firmware is released. You will find the latest firmware available for download from the ASUS support page at https://www.asus.com/support/or the appropriate product page at https://www.asus.com/Networking/. ASUS has provided a link to new firmware for selected routers at the end of this notice.
2. Set up separate passwords for your wireless network and router-administration page. Use passwords with a length of at least eight characters, including a mix of capital letters, numbers and symbols. Do not use the same password for multiple devices or services.
3. Enable ASUS AiProtection, if your router supports this feature. Instructions on how to do this can be found in your router’s manual, or on the relevant ASUS support page, at https://www.asus.com/Networking/.

 

Please note, if you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions. These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger.

For further help with router setup and an introduction to network security, please visit
https://www.asus.com/support/FAQ/1008000
https://www.asus.com/support/FAQ/1039292

 

The new firmware incorporates the following security fixes.

1. Fixed CVE-2023-28702, CVE-2023-28703, CVE-2023-31195, CVE-2022-46871, CVE-2022-38105, CVE-2022-35401, CVE-2018-1160, CVE-2022-38393, CVE-2022-26376
2. Fixed DoS vulnerabilities in firewall configuration pages.
3. Fixed DoS vulnerabilities in httpd.
4. Fixed information disclosure vulnerability.
5. Fixed null pointer dereference vulnerabilities.
6. Fixed the cfg server vulnerability.
7. Fixed the vulnerability in the logmessage function.
8. Fixed Client DOM Stored XSS
9. Fixed HTTP response splitting vulnerability
10. Fixed status page HTML vulnerability.
11. Fixed HTTP response splitting vulnerability.
12. Fixed Samba related vulerabilities.
13. Fixed Open redirect vulnerability.
14. Fixed token authentication security issues.
15. Fixed security issues on the status page.
16. Enabled and supported ECDSA certificates for Let's Encrypt.
17. Enhanced protection for credentials.
18. Enhanced protection for OTA firmware updates.

 

 

Model name | Firmware download path -- | -- GT6 | https://rog.asus.com/networking/rog-rapture-gt6-model/helpdesk_bios/ GT-AXE16000 | https://rog.asus.com/networking/rog-rapture-gt-axe16000-model/helpdesk_bios/ GT-AXE11000 PRO | https://rog.asus.com/networking/rog-rapture-gt-ax11000-pro-model/helpdesk_bios/ GT-AXE11000 | https://rog.asus.com/networking/rog-rapture-gt-axe11000-model/helpdesk_bios/ GT-AX6000 | https://rog.asus.com/networking/rog-rapture-gt-ax6000-model/helpdesk_bios/ GT-AX11000 | https://rog.asus.com/networking/rog-rapture-gt-ax11000-model/helpdesk_bios/ GS-AX5400 | https://rog.asus.com/networking/rog-strix-gs-ax5400-model/helpdesk_bios/ GS-AX3000 | https://rog.asus.com/networking/rog-strix-gs-ax3000-model/helpdesk/ ZenWiFi XT9 | https://www.asus.com/networking-iot-servers/whole-home-mesh-wifi-system/zenwifi-wifi-systems/asus-zenwifi-xt9/helpdesk_bios/?model2Name=ASUS-ZenWiFi-XT9 ZenWiFi XT8 | https://www.asus.com/networking-iot-servers/whole-home-mesh-wifi-system/zenwifi-wifi-systems/asus-zenwifi-ax-xt8/helpdesk_bios/?model2Name=ASUS-ZenWiFi-AX-XT8 ZenWiFi XT8_V2 | https://www.asus.com/networking-iot-servers/whole-home-mesh-wifi-system/zenwifi-wifi-systems/asus-zenwifi-ax-xt8/helpdesk_bios/?model2Name=ASUS-ZenWiFi-AX-XT8 RT-AX86U PRO | https://www.asus.com/networking-iot-servers/wifi-routers/asus-gaming-routers/rt-ax86u-pro/helpdesk_bios/?model2Name=RT-AX86U-Pro RT-AX86U | https://www.asus.com/networking-iot-servers/wifi-6/all-series/rt-ax86u/helpdesk_bios/?model2Name=RT-AX86-Series-RT-AX86U-RT-AX86S RT-AX86S | https://www.asus.com/networking-iot-servers/wifi-6/all-series/rt-ax86u/helpdesk_bios/?model2Name=RT-AX86-Series-RT-AX86U-RT-AX86S RT-AX82U | https://www.asus.com/networking-iot-servers/wifi-routers/asus-gaming-routers/rt-ax82u/helpdesk_bios/?model2Name=RT-AX82U RT-AX58U | https://www.asus.com/networking-iot-servers/wifi-routers/asus-wifi-routers/rt-ax58u/helpdesk_bios/?model2Name=RT-AX58U RT-AX3000 | https://www.asus.com/us/networking-iot-servers/wifi-routers/asus-wifi-routers/rt-ax3000/helpdesk_bios/?model2Name=RT-AX3000 TUF-AX6000 | https://www.asus.com/networking-iot-servers/wifi-routers/asus-gaming-routers/tuf-gaming-ax6000/helpdesk_bios/?model2Name=TUF-Gaming-AX6000 TUF-AX5400 | https://www.asus.com/networking-iot-servers/wifi-routers/asus-gaming-routers/tuf-gaming-ax5400/helpdesk_bios/?model2Name=TUF-Gaming-AX5400

[Nilssonfpv]

This should be prio 1 on the todo list 😅 CVE-2022-26376 Is Baad, ranked 9.8/10 on the risk scale.

Edit: nvm seems it has already been fixed in wrt-merlin newer then 386.7.

[gnuton]

@Nilssonfpv correct beside that also the issue from 2018 was fixed in an old release that I know. In any case we are in touch with ASUS and the new GPLs should come soon.

[stmuk]

I was wondering what the status of this was and whether upgrading to stable 388.2_2_0 or an unstable release is recommended?

[gnuton]

most of the issues here were already fixed in Merlin. If you wanna get covered about the latest issue, jsut install the beta2 which is stable enough