Critical vulnerabilities in numerous ASUS routers
According to a report by security expert Kyle Lovett on the Bugtraq mailing list, critical security vulnerabilities exist in numerous ASUS routers and can be remotely exploited to take complete control of the router. The weak point is the AiCloud media server. If AiCloud is activated, unauthorised users can access critical system files over the internet – including files containing access credentials for the router in plain text format.
Attackers can use these credentials to access personal files stored on any devices connected to the router's USB ports. Attackers may also be able to use AiCloud to access network shares on other computers on the router's network.
According to Lovett, the vulnerabilities also allow write access to system files, enabling attackers to carry out actions such as setting up a VPN tunnel to the router network. Attackers can also access all network traffic passing through the router.
The following models are reported to be affected:
The H's associates at heise Security were able to gain access to plain text access credentials on a model RT-N66U router running the latest firmware (version 220.127.116.11.370).
In June, Lovett released details of some related vulnerabilities, and explained that he had released additional information because he was not satisfied with ASUS's response. According to Lovett, ASUS has since made no effort to warn affected router users. In June he criticised the fact that the firmware was based on Linux kernel 18.104.22.168, which dates from 2007, and that other tools were also outdated.
In March, another researcher reported that the root filesystem can be accessed on the RT-N66U via the Samba server and that the UPnP server listens on the WAN interface, exposing it to potential attacks over the web.
Until ASUS provides secure firmware versions, users of affected devices should disable the AiCloud function via the menu option in its web interface. This ensures that the vulnerable server is no longer accessible by navigating to the router's IP address over HTTPS. Security expert Lovett is also advising users to disable UPnP services and any remote access options and to change the router password.
Contacted by heise Security, ASUS said that updates are available from the company's support page for the two router models RT-AC66U and RT-N66U. The company says that it will offer fixes for the other affected models "soon". In the meantime, ASUS recommends turning off all AiCloud functions like Cloud Disk, Smart Access and Smart Sync.