Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Original Publication Date: 26-05-2014
Updated Date: 26-05-2014
In April this year, ASUS released a firmware update (18.104.22.168.374.5656) for multiple RT series of routers that resolved multiple publicly disclosed vulnerabilities including a Remote Code Execution (CVE-2013-5948), a Password Disclosure (CVE-2014-2719) and a Cross-Site Scripting (CVE-2014-2925) vulnerability.
Note: This advisory will be updated as additional information is available.
Affected ASUS Routers:
· Asus RT-N12 D1 Router
· Asus RT-N10U B Router
· Asus RT-AC56U Wireless Router
· Asus RT-N66W Router
· Asus RT-N66R Router
· Asus RT-AC66U Router
· Asus RT-AC66R Router
Information about the Vulnerabilities
· Remote Code Execution Vulnerability (CVE-2013-5948)
This vulnerability allows for an authenticated user to perform arbitrary command execution within the Network Tools of web management interface of the affected ASUS RT series routers. The vulnerability is due to a bug with the "Network Analysis" tab of this web management interface, that results in granting remote command execution to logged in users.
· Password Disclosure Vulnerability (CVE-2014-2719)
This vulnerability allows remote authenticated users of affected ASUS RT series routers to obtain the administrator user name and password by reading the source code. The vulnerability is due to the fact that the source code displays the login credentials in plain text. Thus, if the administrator is logged in, an attacker can browse to <router_address>/Advanced_System_Content.asp and easily obtain the username and password of the logged in administrator.
· Cross-SiteScripting Vulnerability (CVE-2014-2925)
This vulnerability allows attacks against users using web management interface of the affected ASUS RT series routers. An attacket can lure the users into clicking a link provided with malicious content, which in turn, executes on the context of the victim's browser. An attacker can exploit the bug with "Wireless" tab of this web management interface to execute malicious content within another user's browser.
Cyberoam provides the additional information in the blog: Vulnerability Alert – Multiple ASUS products affected.
1. IPS Signature
To mitigate the mentioned vulnerabilities, Cyberoam has released IPS Signature Versions 3.11.66 and 5.11.66 containing IPS signatures named “Asus RT Series Remote Code Execution Vulnerability”, “Asus RT Series Password Disclosure Vulnerability” and “Asus RT Series Cross Site Scripting Vulnerability”.
By default, once the IPS policy with the mentioned signatures is applied through Firewall, the connections attempting to exploit the said vulnerabilitywill be allowed. However, in the event of a suspicious activity, the administrator would receive an IPS Alert. The administrator can check the details of the alert from IPS Logs, verify if it is a threat or false positive and accordingly, take the corrective actions. For Cyberoam customers using RT series routers running firmware lower than 22.214.171.124.374.5656, should modify the default action of all three signatures to “Drop”.
We request all Cyberoam customers to verify the version of IPS Signaturefrom the Dashboard of their Appliances. Click here to read the Release Notes for IPS SignatureVersions 3.11.66 and 5.11.66.
2. After upgrading the IPS Signature Version, Cyberoam recommends all the customers using affected RT series routers to upgrade to the recently released fixed firmware version (126.96.36.199.374. 5656).
26 May 2014
Initial public release containing information about the vulnerabilities.
Added Solution section with infoirmation about How to Mitigate the Vulerabilities using Cyberoam IPS.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.