Latest firmware updates for Asus routers fix CSRF security flaws

The vulnerabilities could allow hackers to modify routers' settings through cross-site request forgery attacks

Users of Asus RT-N and RT-AC series routers should install the latest firmware updates released for their models because they address vulnerabilities that could allow attackers to hijack router settings.

The flaws were discovered by researchers from security consultancy outfit Nightwatch Cybersecurity and leave many Asus router models exposed to cross-site request forgery (CSRF) attacks.

CSRF is an attack technique that involves hijacking a user's browser when visiting a specially crafted website and forcing it to send unauthorized requests to a different website -- or in this case, the router web-based administration interface accessible over the local area network (LAN).

The login page for the web interface of most Asus routers running the company's unified AsusWRT firmware doesn't have any type of CSRF protection, according to the Nightwatch researchers. This allows malicious websites to send login requests to Asus routers through users' browsers without their knowledge.

In order to pull off such an attack, hackers need to know the LAN IP address of the targeted router and the password for its admin account. In many cases this information is easy to obtain.

There are ways for web pages to scan a visitor's local network for devices. There is even an open-source JavaScript framework called Sonar.js that contains "fingerprints" for different routers.

However, such advanced techniques are not even needed in most cases, because users rarely change their router's default IP address -- in the case of Asus routers.

Many users also don't change their router's default and publicly documented username and password combination -- admin/admin for Asus routers. Some users don't change these credentials because they don't know how, while others don't do it out of convenience and based on the false belief that their router cannot be attacked because its web interface is not exposed to the internet.

Unfortunately, this thinking doesn't take into account CSRF and other LAN-based attacks. Large-scale CSRF campaigns that hijacked routers' settings have been observed in the wild over the past few years, and security vendors recently found computer and mobile malware programs designed to compromise routers over the local area network.

Once authenticated on the router via CSRF, an attacker would have no problem changing a setting, the Nightwatch researchers said in an advisory this week. That's because the page that saves any configuration modifications also lacks CSRF protection, they said.

A common attack against routers is to change their DNS (Domain Name System) server settings, forcing them to use a DNS server controlled by attackers. Since DNS is used to translate domain names into IP addresses, attackers can use their control over DNS responses to direct users who connect through a compromised router to fake web pages.

This enables powerful phishing attacks because the browser address bar would continue to display the correct domain name for the legitimate website the user tried to access, but the loaded page would be provided by attackers.

In addition to the CSRF issues, Nightwatch Cybersecurity also found three information leak vulnerabilities that could be exploited from remote websites or mobile applications on the same LAN to expose details about a router's configuration, including its wireless network password.

Asus doesn't consider all of these issues as security vulnerabilities. The company released firmware updates to fix the CSRF issues and some of the info leaks for many of the affected models in March and April. However, there are user reports that at least one model, the 4G-AC55U, is also vulnerable and has no patch.

A common problem with routers is that even when firmware updates become available, very few users go to the trouble of downloading and installing them on their devices. The firmware update process is not exactly straightforward on routers, but vendors are often not clear about what these updates contain or why they're needed.

For example, the release notes for the new Asus router firmware updates mention that the following security issues have been fixed: CVE-2017-5891, CVE-2017-5892, CVE-2017-6547, CVE-2017-6549, and CVE-2017-6548.

To understand what those vulnerabilities are about, users would have to search the internet on their own and even then, they might find no useful information. For example, if a user would have searched for CVE-2017-5891 and CVE-2017-5892 in March or April, they would have found no details. If they search now, they'll likely come across the third-party Nightwatch Cybersecurity advisory published Tuesday.

Since details about these vulnerabilities are now publicly available, Asus router owners should install the firmware updates for their models as soon as possible. There are also other actions that can be taken to reduce the likelihood routers being compromised in general.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?