ASUS has launched a brand new firmware replace that addresses a vulnerability impacting seven router fashions that permit far off attackers to log in to gadgets.
The flaw, tracked as CVE-2024-3080 (CVSS v3.1 ranking: 9.8 “vital”), is an authentication bypass vulnerability permitting unauthenticated, far off attackers to take regulate of the gadget.
ASUS says the problem affects the next router fashions:
- XT8 (ZenWiFi AX XT8) – Mesh WiFi 6 machine providing tri-band protection with speeds as much as 6600 Mbps, AiMesh enhance, AiProtection Professional, seamless roaming, and parental controls.
- XT8_V2 (ZenWiFi AX XT8 V2) – Up to date model of the XT8, keeping up equivalent options with improvements in efficiency and steadiness.
- RT-AX88U – Twin-band WiFi 6 router with speeds as much as 6000 Mbps, that includes 8 LAN ports, AiProtection Professional, and adaptive QoS for gaming and streaming.
- RT-AX58U – Twin-band WiFi 6 router offering as much as 3000 Mbps, with AiMesh enhance, AiProtection Professional, and MU-MIMO for environment friendly multi-device connectivity.
- RT-AX57 – Twin-band WiFi 6 router designed for fundamental wishes, providing as much as 3000 Mbps, with AiMesh enhance and fundamental parental controls.
- RT-AC86U – Twin-band WiFi 5 router with speeds as much as 2900 Mbps, that includes AiProtection, adaptive QoS, and recreation acceleration.
- RT-AC68U – Twin-band WiFi 5 router providing as much as 1900 Mbps, with AiMesh enhance, AiProtection, and powerful parental controls.
ASUS suggests that folks replace their gadgets to the most recent firmware variations to be had on its obtain portals (hyperlinks for every fashion above). Firmware replace directions are to be had in this FAQ web page.
For the ones not able to replace the firmware right away, the seller suggests they make sure their account and WiFi passwords are sturdy (over 10 non-consecutive characters lengthy).
Additionally, it’s endorsed to disable web get entry to to the admin panel, far off get entry to from WAN, port forwarding, DDNS, VPN server, DMZ, and port cause.
Yet one more vulnerability addressed at the similar bundle is CVE-2024-3079, a high-severity (7.2) buffer overflow drawback that calls for admin account get entry to to take advantage of.
Taiwan’s CERT has additionally knowledgeable the general public about CVE-2024-3912 in a publish the previous day, which is a vital (9.8) arbitrary firmware add vulnerability permitting unauthenticated, far off attackers to execute machine instructions at the gadget.
The flaw affects a couple of ASUS router fashions, however now not all might be getting safety updates because of them having reached their end-of-life (EoL).
The proposed answer in line with impacted fashion is:
- DSL-N17U, DSL-N55U_C1, DSL-N55U_D1, DSL-N66U: Improve to firmware model 1.1.2.3_792 or later.
- DSL-N12U_C1, DSL-N12U_D1, DSL-N14U, DSL-N14U_B1: Improve to firmware model 1.1.2.3_807 or later.
- DSL-N16, DSL-AC51, DSL-AC750, DSL-AC52U, DSL-AC55U, DSL-AC56U: Improve to firmware model 1.1.2.3_999 or later.
- DSL-N10_C1, DSL-N10_D1, DSL-N10P_C1, DSL-N12E_C1, DSL-N16P, DSL-N16U, DSL-AC52, DSL-AC55: EoL date reached, alternative is beneficial.
Obtain Grasp safety updates
In spite of everything, ASUS introduced an replace to Obtain Grasp, a software used on ASUS routers that allows customers to regulate and obtain information immediately to a attached USB garage gadget by means of torrent, HTTP, or FTP.
The newly launched Obtain Grasp model 3.1.0.114 addresses 5 medium to high-severity problems regarding arbitrary document add, OS command injection, buffer overflow, mirrored XSS, and saved XSS issues.
Although none of the ones is as vital as CVE-2024-3080, it’s endorsed that customers improve their software to model 3.1.0.114 or later for optimum safety and coverage.