ASUS Router Administrative Interface Exposure

2016.02.12
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Asus wireless routers running ASUSWRT firmware (in other words, anything with an RT- in the model name) have a design flaw in which the administrator web interface may be open to the public Internet even if you have specifically disabled web access from the WAN. Specifically, these routers have two separate controls that affect access to the router web interface, and no warning that one can override the other. In order to block public access to your router, both of the following must be set: Enable Web Access from WAN: No Enable Firewall: Yes If Enable Firewall is set to No, that will override WAN access setting, with no warning, enabling anyone that knows your IP address to access your router's administrative interface from anywhere in the world. The attacker would still have to figure out your password, but this simple design error makes it all to easy to think you have secured your router, and yet still be vulnerable. Looking over Shodan for other devices with banners consistent with Asus routers, I see around 122,000 routers with a publicly-reachable HTTP service. I also find another 15,000 with a publicly accessible HTTPS service - meaning the owner knew enough to restrict administrative access to an secured login. I would expect most administrators that took the time to restrict access to HTTPS, also took the time to restrict such access to only local devices. In other words, 15,000 people made an effort to secure their routers, and yet could still be pwned from an Internet attacker. This is true as of the most recent firmware available, version 3.0.0.378.9460 dated December 29, 2015. I have tested a beta firmware release that fixes this situation, and expect it will be publicly released shortly. In the meantime, both "Enable Web Access from WAN" and "Enable Firewall" must be set properly in order to block public access to the web UI. Details, along with an export of the relevant iptables rules set by the various settings, are at http://www.securityforrealpeople.com/2016/02/poor-ux-leads-to-poorly-secured-soho.html Regards, David Longenecker Connect: Blog <http://securityforrealpeople.com/> | @dnlongen <https://www.twitter.com/dnlongen> | LinkedIn <https://www.linkedin.com/in/dnlongen/> PGP key: https://keybase.io/dnlongen

References:

http://www.securityforrealpeople.com/2016/02/poor-ux-leads-to-poorly-secured-soho.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top