ASUS has launched a brand new firmware replace that addresses a vulnerability impacting seven router fashions that enable distant attackers to log in to gadgets.
The flaw, tracked as CVE-2024-3080 (CVSS v3.1 rating: 9.8 “vital”), is an authentication bypass vulnerability permitting unauthenticated, distant attackers to take management of the system.
ASUS says the difficulty impacts the next router fashions:
- XT8 (ZenWiFi AX XT8) – Mesh WiFi 6 system providing tri-band protection with speeds as much as 6600 Mbps, AiMesh help, AiProtection Professional, seamless roaming, and parental controls.
- XT8_V2 (ZenWiFi AX XT8 V2) – Up to date model of the XT8, sustaining comparable options with enhancements in efficiency and stability.
- RT-AX88U – Twin-band WiFi 6 router with speeds as much as 6000 Mbps, that includes 8 LAN ports, AiProtection Professional, and adaptive QoS for gaming and streaming.
- RT-AX58U – Twin-band WiFi 6 router offering as much as 3000 Mbps, with AiMesh help, AiProtection Professional, and MU-MIMO for environment friendly multi-device connectivity.
- RT-AX57 – Twin-band WiFi 6 router designed for primary wants, providing as much as 3000 Mbps, with AiMesh help and primary parental controls.
- RT-AC86U – Twin-band WiFi 5 router with speeds as much as 2900 Mbps, that includes AiProtection, adaptive QoS, and sport acceleration.
- RT-AC68U – Twin-band WiFi 5 router providing as much as 1900 Mbps, with AiMesh help, AiProtection, and sturdy parental controls.
ASUS suggests that individuals replace their gadgets to the newest firmware variations accessible on its obtain portals (hyperlinks for every mannequin above). Firmware replace directions can be found on this FAQ web page.
For these unable to replace the firmware instantly, the seller suggests they guarantee their account and WiFi passwords are sturdy (over 10 non-consecutive characters lengthy).
Furthermore, it is suggested to disable web entry to the admin panel, distant entry from WAN, port forwarding, DDNS, VPN server, DMZ, and port set off.
Another vulnerability addressed on the identical package deal is CVE-2024-3079, a high-severity (7.2) buffer overflow downside that requires admin account entry to take advantage of.
Taiwan’s CERT has additionally knowledgeable the general public about CVE-2024-3912 in a submit yesterday, which is a vital (9.8) arbitrary firmware add vulnerability permitting unauthenticated, distant attackers to execute system instructions on the system.
The flaw impacts a number of ASUS router fashions, however not all will probably be getting security updates as a result of them having reached their end-of-life (EoL).
The proposed resolution per impacted mannequin is:
- DSL-N17U, DSL-N55U_C1, DSL-N55U_D1, DSL-N66U: Improve to firmware model 1.1.2.3_792 or later.
- DSL-N12U_C1, DSL-N12U_D1, DSL-N14U, DSL-N14U_B1: Improve to firmware model 1.1.2.3_807 or later.
- DSL-N16, DSL-AC51, DSL-AC750, DSL-AC52U, DSL-AC55U, DSL-AC56U: Improve to firmware model 1.1.2.3_999 or later.
- DSL-N10_C1, DSL-N10_D1, DSL-N10P_C1, DSL-N12E_C1, DSL-N16P, DSL-N16U, DSL-AC52, DSL-AC55: EoL date reached, alternative is advisable.
Obtain Grasp security updates
Lastly, ASUS introduced an replace to Obtain Grasp, a utility used on ASUS routers that permits customers to handle and obtain information on to a related USB storage system through torrent, HTTP, or FTP.
The newly launched Obtain Grasp model 3.1.0.114 addresses 5 medium to high-severity points regarding arbitrary file add, OS command injection, buffer overflow, mirrored XSS, and saved XSS issues.
Although none of these is as vital as CVE-2024-3080, it is suggested that customers improve their utility to model 3.1.0.114 or later for optimum security and safety.
