"Asus Patches Highly Critical WiFi Router Flaws"

Taiwanese computer hardware manufacturer Asus recently released urgent firmware updates to address vulnerabilities in its WiFi router product lines and warned users of the risk of remote code execution attacks.  In a recent advisory, Asus documented at least nine security defects and multiple security weaknesses that allow code execution, denial-of-service, information disclosure, and authentication bypasses.  The most serious of the nine vulnerabilities, a highly critical bug with a CVSS severity rating of 9.8/10, dates back to 2018 and exposes routers to code execution attacks.  Asus stated that the vulnerability, tagged as CVE-2018-1160, is a memory corruption issue in Netatalk before 3.1.12.  The Asus firmware update also patches CVE-2022-26376 (CVSS 9.8/10), a memory corruption vulnerability in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7.  The company, which has struggled with security problems in the past, listed the affected WiFi routers as Asus GT6, GT-AXE16000, GT-AX11000 PRO, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400.  Asus stated that if one chooses not to install this new firmware version, then they strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions.  These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, and port trigger.  

SecurityWeek reports: "Asus Patches Highly Critical WiFi Router Flaws"