Asus Home Routers Open to Snooping Attacks
Two flaws in ASUS home routers could allow a hacker to eavesdrop on all of the traffic and data that flows through them. The flaws are found in the RT-AC1900P whole-home Wi-Fi model, within the router's firmware update functionality. Originally uncovered by Trustwave, ASUS has issued patches for the flaws, and owners are urged to apply the updates as soon as they can.
The first issue, CVE-2020-15498, stems from a lack of certificate checking. The router uses GNU Wget to fetch firmware updates from ASUS servers. It's possible to log in via SSH and use the Linux/Unix grep command to search through the filesystem for –no-check-certificate, which means the vulnerability is present. In affected routers, the files containing that string are shell scripts that perform downloads from the ASUS update servers. This string indicates that there's no certificate checking, so a hacker could use forged certificates to force the install of malicious files on the targeted device. Hackers would need to be connected to the vulnerable router to perform a man in the middle attack, which would allow complete access to all traffic going through the device.
The second bug, CVE-2020-15499, is a cross-site scripting vulnerability in the Web Management interface related to firmware updates. The release notes page did not properly escape the contents of the page before rendering it to the user. This means that a legitimate administrator could be attacked by a hacker using the first MITM finding and chaining it with arbitrary JavaScript code execution.
Since routers typically define the a network, attacks targeting them can potentially affect all traffic in and out of your network. ASUS patched the issues in firmware version 3.0.0.4.385_20253. In a security review of 127 routers, on average, routers by vendors such as D-Link, Netgear, ASUS, Linksys, TP-Link and Zyxel, were affected by 53 critical-rated vulnerabilities (CVE), with even the most secure device having 21 CVEs.