Two Security Vulnerabilities Found in Asus RT-AC1900P Router

Owners of the popular ASUS RT-AC1900P (RT-AC68U) broadband router should immediately visit the product’s support site to download and apply the latest firmware update, which comes after two new vulnerabilities were discovered that “could allow for complete compromise” of the device and all traffic that traverses it.

The router itself has been around for a number of years, but it remains one of the most popular thanks to its feature set and performance. However Trustwave, a digital security specialist with a long history of finding holes in routers (examples here and here), recently unearthed two new vulnerabilities in the RT-AC1900P’s firmware update functionality.

The manufacturer, ASUS, was notified of these issues some time ago and has already patched them in their recent firmware (here). Suffice to say that now is a good time to update, given that the new vulnerabilities have been disclosed to the public.

Finding 1: Update Accepts Forged Server Certificates (CVE-2020-15498)

The first vulnerability was about accepting untrusted (forged) certificates by the wget program used by the router to fetch the updates from ASUS servers. If you happen to have an ASUS RT-AC1900P using old firmware, you can login via SSH and grep through the filesystem for a string:

–no-check-certificate

This will yield some shell scripts that perform downloads from the ASUS update servers. A malicious attacker could exploit this lack of certificate checking to force the install of malicious files. While the attacker would have to be adjacent network wise to the vulnerable router to perform the man in the middle attack (MITM), a successful attack could result in a full compromise of the router allowing for complete access to all traffic going through it. The latest firmware does not use this wget option anymore, so the MITM attack is no longer possible.

Finding 2: XSS in Release Notes Dialog Window (CVE-2020-15499)

The second bug ASUS fixed was a cross-site scripting (XSS) vulnerability in the Web Management interface related to firmware updates: the release notes page did not properly escape the contents of the page before rendering it to the user. This means that a legitimate administrator could be attacked by malicious party using the first man in the middle finding and chaining it with arbitrary JavaScript code execution. Example of a fake release notes page for this attack:

{/textarea}
{script}alert(document.cookie);{/script}
{textarea}

ASUS fixed this in the latest firmware so that the release notes page no longer renders arbitrary contents verbatim.

A number of other security flaws in the RT-AC1900P have also been found and patched since these were discovered, although the exact details of those have yet to be made public.