Taiwanese business ASUS on Monday introduced firmware updates to deal with, among other issues, 9 security bugs impacting a vast array of router designs.
Of the 9 security flaws, two are rated Critical and six are rated Higher in severity. Just one vulnerability is at this time awaiting analysis.
The listing of impacted items are GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400.
Topping the record of fixes are CVE-2018-1160 and CVE-2022-26376, both of those of which are rated 9.8 out of a greatest of 10 on the CVSS scoring procedure.
CVE-2018-1160 problems a virtually five-12 months-aged out-of-bounds produce bug in Netatalk versions in advance of 3.1.12 that could allow a distant unauthenticated attacker to accomplish arbitrary code execution.
CVE-2022-26376 has been described as a memory corruption vulnerability in the Asuswrt firmware that could be activated by implies of a specifically-crafted HTTP request.
The 7 other flaws are as follows –
- CVE-2022-35401 (CVSS score: 8.1) – An authentication bypass vulnerability that could allow an attacker to send out malicious HTTP requests to attain entire administrative entry to the device.
- CVE-2022-38105 (CVSS score: 7.5) – An information and facts disclosure vulnerability that could be exploited to access delicate info by sending specially-crafted network packets.
- CVE-2022-38393 (CVSS score: 7.5) – A denial-of-assistance (DoS) vulnerability that could be triggered by sending a specially-crafted network packet.
- CVE-2022-46871 (CVSS rating: 8.8) – The use of an out-of-day libusrsctp library that could open up qualified equipment to other assaults.
- CVE-2023-28702 (CVSS score: 8.8) – A command injection flaw that could be exploited by a neighborhood attacker to execute arbitrary system instructions, disrupt process, or terminate services.
- CVE-2023-28703 (CVSS score: 7.2) – A stack-primarily based buffer overflow vulnerability that could be exploited by an attacker with admin privileges to execute arbitrary procedure commands, disrupt method, or terminate service.
- CVE-2023-31195 (CVSS score: N/A) – An adversary-in-the-middle (AitM) flaw that could guide to a hijack of a user’s session.
ASUS is recommending that end users use the most up-to-date updates as shortly as feasible to mitigate security challenges. As a workaround, it can be advising consumers to disable products and services accessible from the WAN facet to steer clear of possible undesirable intrusions.
“These solutions include things like distant obtain from WAN, port forwarding, DDNS, VPN server, DMZ, [and] port bring about,” the corporation stated, urging consumers to periodically audit their machines as very well as established up independent passwords for the wi-fi network and the router-administration site.
Uncovered this post appealing? Observe us on Twitter and LinkedIn to read through much more distinctive information we submit.
Some parts of this article are sourced from:
thehackernews.com