ASUS has announced a raft of firmware updates to fix critical vulnerabilities found in a number of router devices.
The firm revealed that nine security vulnerabilities were discovered in networking appliances - two of which were rated as ‘critical’ with six designated as ‘high’ risk.
Tracked as CVE-2018-1160 and CVE-2022-26376, the two critical vulnerabilities were given a 9.8 severity rating out of a possible 10, the company said.
Analysis shows that the former of these pertains to an out of bounds write bug found in Netatalk prior to version 3.1.12. This near-five-year-old vulnerability could enable an unauthorised party to achieve arbitrary code execution.
Meanwhile, CVE-2022-26376 is a memory corruption vulnerability found in Asuswrt and Asuswrt-Merlin New Gen firmware. This flaw could allow an attacker to trigger this vulnerability by leveraging a “specially-crafted HTTP” request, which would cause memory corruption.
Nearly 20 router models have been affected by disclosed vulnerabilities, ASUS revealed.
These include:
- GT6
- GT-AXE16000
- GT-AX11000 PRO
- GT-AXE11000
- GT-AX6000
- GT-AX11000
- GS-AX5400
- GS-AX3000
- XT9
- XT8
- XT8 V2
- RT-AX86U PRO
- RT-AX86U
- RT-AX86S
- RT-AX82U
- RT-AX58U
- RT-AX3000
- TUF-AX6000
- TUF-AX5400.
In its security advisory on 19 June, ASUS urged customers to patch affected routers as soon as possible to avoid risk of exposure.
The firm warned that customers choosing not to install new firmware updates should disable services accessible from via WAN to “avoid potential unwanted intrusions”.
“These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger,” ASUS said.
The company also recommended frequent auditing of equipment to ensure firmware is up to date and to mitigate risk.
“We strongly encourage you to periodically audit both your equipment and your security procedures, as this will ensure that you will be better protected,” the firm said.
