Five ASUS RT series routers suffer from a vendor vulnerability that
default FTP service to anonymous access, full read/write permissions.
The service, which is activated from the administrative console does
not give proper instructions nor indications that the end user needs
to manually add a user to the FTP access table.
The vendor was first alerted to this issue in late June of 2013, and
then four other times officially from July 2013 to December 2013. It
was not until January of this year, when the editors for the Norwegian
publication IDG/PC World went to ASUS that any official response came.
This vulnerability has been exploited aggressively for sometime now,
and as a rolling count which has been kept ongoing since July 2013,
over 30,000 unique IP address, at one time or another have had their
FTP service shared.
The FTP services, when not secured, allows for full read/write access
to any external storage devices attached to the usb drives on the
The vendor has issued an official (beta) patch for the RT-AC68U as of
mid-January, and plans on additional patches in the coming week.
CWE-287: Improper Authentication
CVSS v2 Vector (AV:N/AC:L/Au:N/C:C/I:C/A:N/E:H/RL:OF/RC:C)
CVSS Base Score 9.4
Impact Subscore 9.2
Exploitability Subscore 10
CVSS Temporal Score 8.2
Overall CVSS Score 8.2
Many have reported malware being uploaded into the sync share folders,
large amounts of unauthorized file sharing and most importantly the
theft of entire hard drives of personal information. Over 7,300 units
are still vulnerable to this weakness as of today.
It is strongly urged that those with any of the above routers check to
ensure that their FTP service has been secured.
Research Contact - Kyle Lovett
Discovered - June, 2013