Skip to content

Patch now, or block all inbound requests – Naked Security

ASUS is a well-known electronics maker that produces laptops, phones, home routers, and graphics cards. Recently, the company released firmware updates for its home routers, accompanied by a warning to update firmware immediately. Failure to update means that users need to disable services accessible from the WAN side to avoid potential intrusions, including remote access, port forwarding, DDNS, VPN server, DMZ, and port trigger. ASUS expects potential attackers to probe exposed devices now that a list of bug fixes has been published. Two of the now-patched vulnerabilities have been around for a long time, with a 9.8/10 “danger score” and a CRITICAL rating in the National Vulnerability Database.

Netatalk provides support for Apple-style networking, and a successful exploit would require deliberately malformed network data. HTTP escaping and unescaping are fundamental to any software that listens to and uses web URLs. Other CVE-listed bugs that were patched include authentication bypass, information disclosure, denial-of-service, potentially exploitable bugs in the open-source libusrsctp library, unfiltered special characters in URLs, buffer overflow, and session hijack. The most notable bug on the list is the command injection attack that would be similar to the MOVEit bugs that have been all over the news lately.

The session-hijack issue caused by CVE-2023-31195 is another worrying bug. Servers often handle web-based logins by sending a so-called session cookie to the browser to denote that “whoever knows this cookie is assumed to be the same person who just logged in.” To prevent this sort of attack, cookies that are non-public should be labeled Secure in the HTTP header that’s transmitted when they’re set. If you have an affected ASUS router, patch as soon as possible. If you can’t patch at once, block all inbound access to your router until you can apply the update. If you’re a programmer, sanitize your inputs, don’t wait months or years to ship patches for high-scoring bugs to your customers, and review.

Leave a Reply

Your email address will not be published. Required fields are marked *