The top-end dual-band gaming router Asus RT-AX82U is subject to three critical vulnerabilities that can be used to bypass authentication, leak information or cause a denial of service (DoS) state.
The router can be configured via an HTTP server that runs on a local network, but also supports remote management and monitoring.
Technical information about vulnerabilities was published by Cisco Talos researchers, where the most serious is CVE-2022-35401 (CVSS score 9.0) - a way to bypass authentication that can be used using a series of created HTTP requests.
An attacker can exploit this vulnerability to gain full administrative access to a vulnerable device.
The problem lies in the remote administration function of the router, which, in fact, allows users to manage it in the same way as any other IoT device.
Operation is possible if the user enables access to the global network for the HTTPS server and generates an access code that allows the remote website to connect to the endpoint on the device with a token check every 2 minutes.
As it turned out, the token generation algorithm is subject to a brute force attack, since the router supported only 255 possible codes and checking the token creation time was also erroneous, since it was based on the uptime of the device.
The remaining two serious bugs CVE-2022-38105 and CVE-2022-38393 are errors that affect the functionality of the router and allow you to configure the mesh network.
CVE-2022-38105 allows an attacker to send created network packets to cause repeated out-of-bounds errors and data leakage, such as thread stack addresses.
The second problem exists due to the lack of verification of input packets, which allows an attacker to cause memory loss and cause a system crash.
Three vulnerabilities were found in the firmware of Asus RT-AX82U version 3.0.0.4.386_49674-ge182230, which was reported to the supplier back in August.
We understand how rarely it comes to installing patches on routers, users are still strongly advised to update their devices to the latest firmware version.