ASUS RT Password Disclosure

2014.04.18
Risk: High
Local: No
Remote: Yes
CWE: N/A


Ogólna skala CVSS: 6.3/10
Znaczenie: 6.9/10
Łatwość wykorzystania: 6.8/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Jednorazowa
Wpływ na poufność: Pełny
Wpływ na integralność: Brak
Wpływ na dostępność: Brak

http://dnlongen.blogspot.com/2014/04/CVE-2014-2719-Asus-RT-Password-Disclosure.html In mid February, I wrote that a substantial portion of ASUS wireless routers would fail to update their firmware. In fact, the "check for update" function would inform the administrator that the router was fully up-to-date, even though it was not. ASUS was very quick to fix this. In analyzing that issue though, I saw some things that looked like potential avenues of exploit. The Web GUI for the ASUS RT- series of routers exposes the administrator username and password in clear text. This is true for the RT-AC68U, RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66U, RT-N56R, RT-N56U models. I have not tested but suspect the same is true of RT-N53, RT-N14U, RT-N16, and RT-N16R since they use the same firmware base but a different sub-version. This is CVE-2014-2719. If the administrator is logged in, an attacker can browse to <router_address>/Advanced_System_Content.asp and obtain the username and password. Another researcher demonstrated a way to access the router via embedded images in an email message 18 months ago; that combined with this would gain an attacker easy administrative access. Compounding the problem, the admin login does not have a session timeout. Thus, if the administrator logged in (such as when first configuring the router, or subsequently installing an update) and does not intentionally logout, the session remains live and can be exploited as described above, even if the administrator no longer has a window open on the router. Firmware 3.0.0.4.374.5517 fixes both of these issues. The new code no longer shows the current password to users, and there is a new option to automatically logout after a set period of time. By default, the router will now log the administrator account out after 30 minutes; you can set this anywhere from 10 minutes to 999 minutes, or disable the feature if you prefer to stay logged in indefinitely. -- Regards, David Longenecker Connect: Security Blog <http://dnlongen.blogspot.com> | Security Twitter<https://www.twitter.com/dnlongen> | Awana Twitter <https://www.twitter.com/dstx_awana> | LinkedIn<https://www.linkedin.com/in/dnlongen/>

Referencje:

http://dnlongen.blogspot.com/2014/04/CVE-2014-2719-Asus-RT-Password-Disclosure.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top