Latest firmware updates for Asus routers fix CSRF security flaws

The vulnerabilities could allow hackers to modify routers' settings through cross-site request forgery attacks

Users of Asus RT-N and RT-AC series routers should install the latest firmware updates released for their models because they address vulnerabilities that could allow attackers to hijack router settings.

The flaws were discovered by researchers from security consultancy outfit Nightwatch Cybersecurity and leave many Asus router models exposed to cross-site request forgery (CSRF) attacks.

CSRF is an attack technique that involves hijacking a user's browser when visiting a specially crafted website and forcing it to send unauthorized requests to a different website -- or in this case, the router web-based administration interface accessible over the local area network (LAN).

The login page for the web interface of most Asus routers running the company's unified AsusWRT firmware doesn't have any type of CSRF protection, according to the Nightwatch researchers. This allows malicious websites to send login requests to Asus routers through users' browsers without their knowledge.

In order to pull off such an attack, hackers need to know the LAN IP address of the targeted router and the password for its admin account. In many cases this information is easy to obtain.

There are ways for web pages to scan a visitor's local network for devices. There is even an open-source JavaScript framework called Sonar.js that contains "fingerprints" for different routers.

However, such advanced techniques are not even needed in most cases, because users rarely change their router's default IP address -- in the case of Asus routers.

Many users also don't change their router's default and publicly documented username and password combination -- admin/admin for Asus routers. Some users don't change these credentials because they don't know how, while others don't do it out of convenience and based on the false belief that their router cannot be attacked because its web interface is not exposed to the internet.

Unfortunately, this thinking doesn't take into account CSRF and other LAN-based attacks. Large-scale CSRF campaigns that hijacked routers' settings have been observed in the wild over the past few years, and security vendors recently found computer and mobile malware programs designed to compromise routers over the local area network.

Once authenticated on the router via CSRF, an attacker would have no problem changing a setting, the Nightwatch researchers said in an advisory this week. That's because the page that saves any configuration modifications also lacks CSRF protection, they said.

A common attack against routers is to change their DNS (Domain Name System) server settings, forcing them to use a DNS server controlled by attackers. Since DNS is used to translate domain names into IP addresses, attackers can use their control over DNS responses to direct users who connect through a compromised router to fake web pages.

This enables powerful phishing attacks because the browser address bar would continue to display the correct domain name for the legitimate website the user tried to access, but the loaded page would be provided by attackers.

In addition to the CSRF issues, Nightwatch Cybersecurity also found three information leak vulnerabilities that could be exploited from remote websites or mobile applications on the same LAN to expose details about a router's configuration, including its wireless network password.

Asus doesn't consider all of these issues as security vulnerabilities. The company released firmware updates to fix the CSRF issues and some of the info leaks for many of the affected models in March and April. However, there are user reports that at least one model, the 4G-AC55U, is also vulnerable and has no patch.

A common problem with routers is that even when firmware updates become available, very few users go to the trouble of downloading and installing them on their devices. The firmware update process is not exactly straightforward on routers, but vendors are often not clear about what these updates contain or why they're needed.

For example, the release notes for the new Asus router firmware updates mention that the following security issues have been fixed: CVE-2017-5891, CVE-2017-5892, CVE-2017-6547, CVE-2017-6549, and CVE-2017-6548.

To understand what those vulnerabilities are about, users would have to search the internet on their own and even then, they might find no useful information. For example, if a user would have searched for CVE-2017-5891 and CVE-2017-5892 in March or April, they would have found no details. If they search now, they'll likely come across the third-party Nightwatch Cybersecurity advisory published Tuesday.

Since details about these vulnerabilities are now publicly available, Asus router owners should install the firmware updates for their models as soon as possible. There are also other actions that can be taken to reduce the likelihood routers being compromised in general.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?