ASUS has issued a security alert this week for a number of its router devices. The alert includes new firmware updates that are designed to fix a large number of security issues that have been discovered in these products.
- GT-AX11000 PRO
- XT8 V2
- RT-AX86U PRO
The support page also has specific firmware download links for each of the routers on the list above. The update fixes quite a few security issues in those devices. Many of them were discovered a few years ago, including one that dates back to 2018.
The specific issues that are addressed with these firmware updates are:
- Fixed CVE-2023-28702, CVE-2023-28703, CVE-2023-31195, CVE-2022-46871, CVE-2022-38105, CVE-2022-35401, CVE-2018-1160, CVE-2022-38393, CVE-2022-26376
- Fixed DoS vulnerabilities in firewall configuration pages.
- Fixed DoS vulnerabilities in httpd.
- Fixed information disclosure vulnerability.
- Fixed null pointer dereference vulnerabilities.
- Fixed the cfg server vulnerability.
- Fixed the vulnerability in the logmessage function.
- Fixed Client DOM Stored XSS
- Fixed HTTP response splitting vulnerability
- Fixed status page HTML vulnerability.
- Fixed HTTP response splitting vulnerability.
- Fixed Samba related vulerabilities.
- Fixed Open redirect vulnerability.
- Fixed token authentication security issues.
- Fixed security issues on the status page.
- Enabled and supported ECDSA certificates for Let's Encrypt.
- Enhanced protection for credentials.
- Enhanced protection for OTA firmware updates.
ASUS also recommends owners of these routers create different, and strong, passwords for their wireless network and for their router administration page.
If, for some reason, owners of the affected routers cannot download the new firmware update, ASUS says it recommends "disabling services accessible from the WAN side to avoid potential unwanted intrusions." Those services include features like remote access from WAN, port forwarding, DDNS, VPN server, DMZ, and port trigger.