Skip to content

FortiGuard Labs Discovers Vulnerability in Asus Router

Over the last few weeks, ASUS released a series of patches aimed at addressing a number of vulnerabilities discovered in their RT routers running AsusWRT firmware. The models listed at the end of this post are known to be vulnerable. If you are not sure which model or firmware you are using, I recommend double-checking the ASUS support website to get the latest information and updates. FG-VD-17-216 is an ASUS authenticated remote code execution vulnerability that FortiGuard Labs originally discovered and reported. If your web management portal is available via your WAN connection, and you don’t use that feature, we recommend disabling it (it’s not the default parameter). If, however, you depend on that feature, we suggest setting a strong password and only using HTTPS for router administrative tasks. If a criminal is able to access that portal, or if he can trick you into following a malicious link, he will be able to execute an HTTP request that injects operating system commands that can run directly on the router. Technically, vulnerable models are prone to OS command injections via unsanitized parameters passed to the /apply.cgi. We believe that this vulnerability is a regression that was inadvertently reintroduced in the previous firmware version (in our case, the test device was a RT-AC3200 running firmware In Main_Analysis_Content.asp in particular, the SystemCmd variable is created on the client side in the JavaScript function updateOptions(), which in turn uses the values from the input fields pingCNT and destIP. A web proxy can then be used to bypass the local checks that are normally done, and then /cmdRet_check.htm is used to asynchronously return the response from the request. The command is then executed with no further checks performed on the server side. FortiGuard Labs has rated this vulnerability as High because if the HTTP injection attack is successful, commands will be executed with the device’s highest privileges (root user). However, it should be noted that to be successful the attacker would also need to obtain the valid authentication token passed in the HTTP Cookie header. Affected Models:

  • ASUS RT-AC66U, RT-AC68U, RT-AC86U, RT-AC88U, RT-AC1900, RT-AC2900, and RT-AC3100 versions before are vulnerable.
  • ASUS RT-N18U versions before are vulnerable.
  • ASUS RT-AC87U, RT-AC3200 versions before are vulnerable.
  • ASUS RT-AC5300 versions before are vulnerable.

Disclosure Timeline:

  • Dec 23 2017 – FortiGuard Labs contacts the ASUS Security Team by email
  • Dec 25 2017 – The ASUS Security Team replies that they have started their investigation
  • Dec 27 2017 – The ASUS Security Team provides a patch for the FortiGuard Labs team to test
  • Dec 27 2017 – FortiGuard Labs confirms that the patch fixes the vulnerability
  • Jan 02 2018 – ASUS begins to widely roll out the new patch

When this vulnerability was initially discovered Fortinet also immediately released IPS signature Asus.Apply.CGI.POST.Buffer.Overflow to proactively protect our customers. I would like to thank the ASUS Security Team for their quick turn-around in fixing the vulnerability we reported. -= FortiGuard Lion Team =-

Previous article Fortinet’s FortiWeb Cloud Powers Continent 8’s New WAF-as-a-Service offering

More Fortinet News Posts

  • Fortinet adds new security to SASE platform
    March 22, 2023 The Tech Geeks

    Fortinet adds new security to SASE platform

    Fortinet adds new security, management features to its SASE platform FortiSASE can now link SASE resources to SD-WAN apps via multiple Fortinet SD-WAN hubs. The company has exanded its Secure Private Access offering that ties SASE resources together with SD-WAN-based...

    Read now
  • Fortinet unveils custom ASIC
    March 14, 2023 The Tech Geeks

    Fortinet unveils custom ASIC

    Fortinet unveils custom ASIC to boost firewall performance, efficiency Fortinet’s new custom chip, the FortiSP5, will power its converged network and security devices. Fortinet is introducing a new ASIC that promises to meld the security and network functions of its...

    Read now